Heroku - mLab MongoDB Add-on Discontinued
alejandrosaenz117 opened this issue ยท 5 comments
The mLab MongoDB Add-on will be shutting down on November 10th and may inadvertently affect the Deploy to Heroku
functionality. The following documentation contains specific information.
@Whamo12 Thanks for the information. We should migrate to MongoDB Atlas as suggested here:
https://docs.mlab.com/how-to-migrate-sandbox-heroku-addons-to-atlas/
Something to bear in mind is that the Atlas M0 tier doesn't support server-side javascript (from: Atlas M0 (Free Tier)... Limitations).
There's currently a $where
query in allocations-dao.js, which is used to demonstrate NoSQL injection vulnerabilities:
NodeGoat/app/data/allocations-dao.js
Line 78 in 5b6a307
EDIT: By the way, mongolab has already been removed from the addons list on the heroku dashboard. It can be added to apps using the CLI, but not the dashboard.
The NodeGoat deploy button still works, despite a spurious warning that mongolab wasn't found. Ignore the warning and mongolab gets provisioned correctly.
I've made a task list for the work to resolve this issue. Feedback is welcome on whether this is the right approach, or if I missed anything important.
The work to fix the "Deploy to Heroku" button can be done by any contributor (done, see PR #215):
- Remove mongolab:sandbox addon from app.json
- Add a MONGODB_URI env variable to app.json (required, default
""
) - Remove reference to the current mLab database from config/env/all.js
- Remove support for MONGOLAB_URI in config/env/all.js (only needed for the mongolab addon)
-
Upgrade mongodb driver to v3.x (required to connect to Atlas M0)(Tested, works with current version) - Update heroku deploy instructions in README.md to cover database setup
- Update tutorial for
A1 - Injection
to say NoSQL injection is blocked on deployments using Atlas M0
These tasks can only be done by members of the core project team:
- Create a new Atlas account, database and user for http://nodegoat.herokuapp.com/
- Update http://nodegoat.herokuapp.com/ to use the new Atlas DB and user
- Once the tasks above and #213 are resolved, shut down the mLab database
I'd be happy to make a PR for the first set of tasks (if no-one's already lined up to do it).
Reminder: mongolab heroku addons are due to be deleted on Tuesday, November 10th. When that happens, any mLab databases still attached to a mongolab heroku addon will be deleted.
Hopefully the database for http://nodegoat.herokuapp.com/ has already been detached from its addon, otherwise the app will go down when the database gets deleted on Tuesday.
@rcowsill Thank you for staying on top of this and the PR. @Whamo12, appreciate your reporting this issue.
Merged the PR. I wanted to provide default Altas DB URL for a quick start for those who don't have it or willing to create an account on Atlas. Hence restored the all.js as before except with Atlas DB URL. We can revise this logic, if any suggestions.
Closing this issue.