Merge pull request #896 from finos/alert-autofix-83

fix: Database query built from user-controlled sources

Author: JamieSlome

src/db/mongo/pushes.js

@@ -57,7 +57,10 @@ const writeAudit = async (action) => {
   const options = { upsert: true };
   const collection = await connect(cnName);
   delete data._id;
-  await collection.updateOne({ id: data.id }, { $set: data }, options);
+  if (typeof data.id !== 'string') {
+    throw new Error('Invalid id');
+  }
+  await collection.updateOne({ id: { $eq: data.id } }, { $set: data }, options);
   return action;
 };