mongo definition store regex protection

[jeffmcaffer]

in mongo.js the list method takes coordinates from the user, constructs a regex and runs it in mongo. We should look to see if that needs protection against DoS attacks (does mongo/cosmosdb already handle this somehow), should we check anyway?

[moranthomas]

General Guidelines:

Prevent query injection attacks

1. Always make use of a library (e.g. mongoose) that sanitizes data - they have built-in protection against injection attacks
2. Never use the $where operator. 
3. Accept only strings from your users (never objects by design) 
4. The fact that these are EntityCoordinates means that they are already well defined and tightly constrained objects, however

Avoid DOS attacks by explicitly setting when a process should crash

1. The Node process will crash when errors are not handled.
2. Alert with critical severity anytime a process crashes due to an unhandled error
3. Validate the input and avoid crashing the process due to invalid user input
4. Wrap all routes with a catch

[dabutvin]

see https://github.com/sindresorhus/escape-string-regexp