Fix mongoose normalization preventing detection#963
Fix mongoose normalization preventing detection#963timokoessler wants to merge 3 commits intomainfrom
Conversation
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
library/sinks/Mongoose.ts
Outdated
| } | ||
|
|
||
| // We need to clone the filter because mongoose modifies it in place | ||
| const filter = structuredClone(args[1]); |
There was a problem hiding this comment.
Using structuredClone on the filter for every cast invocation copies potentially large objects per call. Avoid per-call deep cloning in hot paths or limit cloning to when necessary.
Details
✨ AI Reasoning
The new Mongoose.#inspectFilter clones the filter via structuredClone(args[1]) and then updateContext(context, 'notNormalizedNoSqlFilter', filter) on each cast invocation. Mongoose's cast logic is executed frequently during query building; cloning potentially large filter objects per call creates significant CPU and memory overhead proportional to number and size of queries. This turns a previously cheap hook into an O(n) per-call copy, which can be expensive under load.
🔧 How do I fix it?
Move constant work outside loops. Use StringBuilder instead of string concatenation in loops. Cache compiled regex patterns. Use hash-based lookups instead of nested loops. Batch database operations instead of N+1 queries.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
| @@ -0,0 +1,9 @@ | |||
| // Node.js v16 does not have structuredClone, so we need to use a polyfill | |||
| const clonneFunction = | |||
There was a problem hiding this comment.
Variable 'clonneFunction' is misspelled/unclear; rename to 'cloneFunction' (or similar) to make its purpose obvious.
Details
✨ AI Reasoning
A newly added function variable has a misspelled and unclear name, making its purpose less obvious to readers. The code introduces a variable holding the cloning implementation named with a typo that closely resembles the exported 'clone' function, increasing cognitive load and potential confusion. Renaming this variable to a clear, descriptive name would make intent self-evident.
🔧 How do I fix it?
Use descriptive verb-noun function names, add docstrings explaining the function's purpose, or provide meaningful return type hints.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
1 participant
Summary by Aikido
🚀 New Features
⚡ Enhancements
🐛 Bugfixes
More info