http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660Rohland, That is an excellent suggestion!http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment29http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment29Wed, 25 Jul 2012 03:50:09 GMTMatt, The _purpose_ of this feature is to allow arbitrary code execution on the server. Now, there are safeguards there that make _really_ hard to do BAD THINGS, but the whole point is to allow the user great level of freedom in how they patch the document. We support variables, so that you don't have to do things using string concat. Beyond that, it is the user responsibility to clean up their input. http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment28http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment28Wed, 25 Jul 2012 03:49:21 GMT@Matt Once you implement the strongly typed C# api people will be able to thank you for LINQ-to-JAVASCRIPT :)http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment27http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment27Wed, 25 Jul 2012 00:21:41 GMTMatt, awesome, that was my second train of thought.http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment26http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment26Wed, 25 Jul 2012 00:05:55 GMT@Damien Unfortunately no, I'm not that Matt Warren. I wish I was though, writing LINQ-to-SQL and working on the C# Compiler team would be pretty cool. I have got mistaken for him on SO a few times though!! People have thanked me for LINQ-to-SQL!!!!http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment25http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment25Tue, 24 Jul 2012 21:26:53 GMTNice work. Perhaps the name 'ScriptedPatchRequest' is more suitable? 'AdvancedScriptRequest' is rather limiting given the pace of development ;)http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment24http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment24Tue, 24 Jul 2012 20:29:04 GMTNot to be confused with the Matt Warren that wrote LINQ to SQL and IQToolkit...http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment23http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment23Tue, 24 Jul 2012 20:15:50 GMT@Matt What you can do inside the script is pretty constrained. For instance, you only have basic JavaScript functions, plus a few helpers RavenDB injects for you. Also you are only given access to the Json version of a doc, nothing else.http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment22http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment22Tue, 24 Jul 2012 15:55:51 GMTReally cool, but is there a security risk here? I see that input values are parameratized to prevented attacks similar to SQL injection, although I suppose a developer could screw that up with string concatenation when building their script if they wanted to. How well does the underlying HTTP command encapsulate the script to prevent other types of escaping? I wouldn't want someone to be able to find a magic escape sequence that lets them enter random javascript into a field and have it executed in the patch command.http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment21http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment21Tue, 24 Jul 2012 15:37:26 GMTAndres, Go and compare a CouchDB view to RavenDB index, then tell me you want to write it in JShttp://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment20http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment20Tue, 24 Jul 2012 14:43:19 GMTWhen RavenDb index also is indexing Json docs.http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment19http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment19Tue, 24 Jul 2012 14:40:07 GMT@Michael, @Anders I've got plans to implement a strongly typed C# api, with LINQ/lambdas, that would then produce the JavaScript for you. But it'll be a while before it's available. Plus JavaScript is a nice fit in this case, because your're editing Json docs.http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment18http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment18Tue, 24 Jul 2012 14:02:21 GMTMichael +1 It could be great if you use the same approach / language than index definitions: All Javascript or all .NET or Linqhttp://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment17http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment17Tue, 24 Jul 2012 13:26:19 GMTMichael, Between different machines? So the server now depends on the client? And you can't easily limit what they can do.http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment16http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment16Tue, 24 Jul 2012 12:01:08 GMTAyende, you would need to serialize/deserialize the delegate (I don't know what the feasibility of doing this is). In terms of the code, presumably you could sandbox or limit it to certain calls. What context does the IronJS script run under? I wasn't thinking about the technical implementation, but more so what the API could look like... maybe something like: Script = (Doc doc) => { doc.FullName = doc.FirstName + " " + doc.LastName; Remove.Property(() => doc.FirstName); Remove.Property(() => doc.LastName); }) Just thinking out loud...:) http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment15http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment15Tue, 24 Jul 2012 11:55:56 GMTRob, All of those new features are going into the 1.2 version, which we expect will be out in a few months in a stable version. Once that is done, RavenHQ will start doing their own internal testing & rollout.http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment14http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment14Tue, 24 Jul 2012 11:30:47 GMTVery cool. I have some uses I can think of. As you announce new features here, I've been wondering: what's the best way to know when a particular feature is supported on RavenHQ?http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment13http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment13Tue, 24 Jul 2012 11:25:26 GMTAwesome! If this is not even the cool stuff as Ayende said, I just cannot wait until the follow-up post... It's really just like magic to send javascript to a database to patch documents. This makes nearly all of my version migration concerns just ease away... :-) RavenDB just gets better and better.... and.... to quote Ayende: "It just works...." :-) You Sir, put a big smile on my face today... http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment12http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment12Tue, 24 Jul 2012 11:25:00 GMTMichael, What happens when you are running on a remote server? What happens if I don't WANT you to execute random unverifable code on my server?http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment11http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment11Tue, 24 Jul 2012 10:53:24 GMTVery cool. I wonder if you could use something like Deleporter to do it in C# instead of JS? http://blog.stevensanderson.com/2010/03/09/deleporter-cross-process-code-injection-for-aspnet/http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment10http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment10Tue, 24 Jul 2012 10:40:57 GMTGreat, I was wondering how long will it be before RavenDB has a javascript interpreter.http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment9http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment9Tue, 24 Jul 2012 10:28:36 GMTBTW, this means that RavenDB now is part of the NoSQL "cool-gang", it has an embedded JavaScript interpreter!!!!http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment8http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment8Tue, 24 Jul 2012 09:35:12 GMT@Ender, it's using IronJS (https://github.com/fholm/IronJS/) to do thishttp://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment7http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment7Tue, 24 Jul 2012 09:25:55 GMTjhovgaard , This is in the 203x and up builds, I think Suggest a way to do that from the studio. http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment6http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment6Tue, 24 Jul 2012 09:25:41 GMTEnder, IronJShttp://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment5http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment5Tue, 24 Jul 2012 09:25:13 GMTThis is very nice! Starting from which version is this possible? Btw, is there any plans on adding the ability to bulk modify documents directly from the Studio? It's very inconvenient that we need to write code (and compile it) to do "bigger" changes. Thanks! jhovgaardhttp://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment4http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment4Tue, 24 Jul 2012 09:18:54 GMTThe really cool part must be the ability to send a *.patch file :)http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment3http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment3Tue, 24 Jul 2012 09:18:00 GMTWhat is RavenDB using to interpret JavaScript?http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment2http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment2Tue, 24 Jul 2012 09:17:36 GMTNew API changes for patching are so hot. http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment1http://ayende.com/157185/awesome-ravendb-feature-of-the-day-evil-patching#comment1Tue, 24 Jul 2012 09:15:44 GMT