[backport 24.05] dbviewer: harden aggregation and query handling

[ar2rsawseen]

Backport of #7686 to release.24.05, adapted to the older dbviewer code (which only blocked top-level $graphLookup and had no stage allow-list, so $lookup/$unionWith/$function/$out and nested $facet joins all passed through — a non-admin with access to any collection could $lookup into the global members collection).

What it adds

• Role-parameterized aggregation guard (parts/aggregation_guard.js): validate the pipeline against an allow-list of stages — ALLOWED_STAGES_USER (no joins/writes) or ALLOWED_STAGES_GLOBAL_ADMIN (adds the join/union stages) — stripping anything not allowed at every depth, and rejecting server-side-JS operators ($function/$accumulator/$where) and joins/unions into members/auth_tokens at any depth (including for global admins). Replaces the $graphLookup-only check; both aggregation paths call the same routine with the role's list. The guard is collection-agnostic, so it works the same regardless of how events are stored.
• find() projection restricted to strict include/exclude (drops expression/alias values); _id search escaped to a literal (ReDoS-safe).
• members.two_factor_auth redacted alongside password/api_key; the redaction is placed as the first aggregation stage so no user stage can read raw fields first.
• Result-size caps and generic 500s instead of raw MongoDB errors.

Notes vs master

• The single-document app-scope from dbviewer: harden aggregation and query handling #7686 is omitted: it relied on getBaseAppFilter (which does not exist on 24.05). It is also not needed here — 24.05 stores events per app/event (no combined events_data/drill_events collection), and the document path has no cross-app bypass, so there is no combined collection to read across apps by _id.
• The 24.05 aggregate() has no "removed stages" output, so stripped stages aren't reported back (they are still stripped).
• The guard modules and unit tests are identical to master.

27 unit tests pass.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Backports DB Viewer security hardening to release.24.05 by introducing role-based aggregation pipeline sanitization, tightening find() query handling, and expanding credential redaction to reduce data exfiltration and server-side execution risks.

Changes:

• Add a role-parameterized aggregation pipeline guard with an allow-list, deep stage stripping, and hard rejects for server-side-JS operators and joins into protected collections.
• Harden find() handling by restricting projections to strict include/exclude and escaping _id search input for safe RegExp construction.
• Expand redaction (members.two_factor_auth) and make server responses less error-revealing; add unit tests for the new guards.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
plugins/dbviewer/api/api.js	Integrates aggregation/query guards, caps limits, improves redaction, and returns generic 500s for unexpected Mongo errors.
plugins/dbviewer/api/parts/aggregation_guard.js	New deep-walking aggregation sanitizer with role allow-lists and hard-rule rejection for dangerous operators/joins.
plugins/dbviewer/api/parts/query_guard.js	New helpers to sanitize find() projections and escape user-supplied regex input.
test/unit-tests/plugins.dbviewer.aggregation-guard.js	Adds unit tests covering allow-list behavior, deep stripping, and hard-rule rejections.
test/unit-tests/plugins.dbviewer.query-guard.js	Adds unit tests for projection sanitization and regex escaping.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.