fix(api): escape $regex value and scope filter allowlist to mongo fields

The contains operator on the mongo store passed the caller-supplied
string straight to $regex, letting metacharacters match unintended
patterns. Escape the value with regexp.QuoteMeta so only literal
substring matching is performed. Drop PG-native flat field names from
the device filter allowlist since the mongo schema only exposes the
nested paths (identity.mac, info.platform).

Author: gustavosbarreto

api/services/device.go

@@ -24,9 +24,7 @@ const StatusAccepted = "accepted"
 var DeviceFilterFields = query.NewFieldConstraints(map[string][]string{
 	"name":          {"contains", "eq", "ne"},
 	"status":        {"eq", "ne"},
-	"mac":           {"contains", "eq", "ne"},
 	"identity.mac":  {"contains", "eq", "ne"},
-	"platform":      {"contains", "eq", "ne"},
 	"info.platform": {"contains", "eq", "ne"},
 	"tags.name":     {"contains", "eq"},
 	"online":        {"bool", "eq"},

api/store/mongo/internal/filters.go

@@ -3,6 +3,7 @@ package internal
 import (
 	"errors"
 	"fmt"
+	"regexp"
 	"strconv"
 	"time"
 
@@ -57,10 +58,12 @@ func ParseFilterProperty(fp *query.FilterProperty) (bson.M, bool, error) {
 }
 
 // fromContains converts a "contains" JSON expression to a Bson expression using "$regex" or "$all".
+// String values are escaped with [regexp.QuoteMeta] so metacharacters supplied by the caller
+// cannot be used to match unintended patterns or build catastrophic regexes.
 func fromContains(value interface{}) (bson.M, error) {
-	switch value.(type) {
+	switch v := value.(type) {
 	case string:
-		return bson.M{"$regex": value, "$options": "i"}, nil
+		return bson.M{"$regex": regexp.QuoteMeta(v), "$options": "i"}, nil
 	case []interface{}:
 		return bson.M{"$all": value}, nil
 	}