Uploaded image for project: 'C# Driver'
  1. C# Driver
  2. CSHARP-3080

Fix possible nosql injection

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Security
    • None

    Description

      Description from contributor PR: https://github.com/mongodb/mongo-csharp-driver/pull/401

      You can make any comparsion by an equal operator if you compare to BsonDocument for example:

      Example

      IMongoCollection<BsonDocument> collection;
      var value = new BsonDocument { { "$gt", 3 } };
      var query = collection.Find(x => x["field"] == value);
       
      //it will execute:
      //find({ "field" : { "$gt" : 3 } })
      

      I think it can cause security vulnerability for unaware developer, who trust, that equal operator always will test for equality:

      public List<BsonDocument> GetObjectByUser(IMongoCollection<BsonDocument> collection, BsonValue data)
      {
      	return collection.Find(x => x["userId"] == data["userId"]).ToList();
      }
      public void Attack(IMongoCollection<BsonDocument> collection)
      {
      	var data = GetObjectByUser(collection, new BsonDocument { { "userId", new BsonDocument { { "$ne", ObjectId.Empty } } } });
      }
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            vincent.kam@mongodb.com Vincent Kam (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: