-
Type:
Bug
-
Resolution: Won't Fix
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
None
Description from contributor PR: https://github.com/mongodb/mongo-csharp-driver/pull/401
You can make any comparsion by an equal operator if you compare to BsonDocument for example:
Example
Unable to find source-code formatter for language: csharp. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
IMongoCollection<BsonDocument> collection; var value = new BsonDocument { { "$gt", 3 } }; var query = collection.Find(x => x["field"] == value); //it will execute: //find({ "field" : { "$gt" : 3 } })
I think it can cause security vulnerability for unaware developer, who trust, that equal operator always will test for equality:
Unable to find source-code formatter for language: csharp. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
public List<BsonDocument> GetObjectByUser(IMongoCollection<BsonDocument> collection, BsonValue data) { return collection.Find(x => x["userId"] == data["userId"]).ToList(); } public void Attack(IMongoCollection<BsonDocument> collection) { var data = GetObjectByUser(collection, new BsonDocument { { "userId", new BsonDocument { { "$ne", ObjectId.Empty } } } }); }