Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-328

A (malicious) JS script can set EDITOR to an unsafe value

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Trivial - P5 Trivial - P5
    • Server_Docs_20231030
    • Affects Version/s: None
    • Component/s: Server
    • Labels:
      None
    • Environment:
      Linux

      Running a JS script with 

      mongo --shell <malicious_script.js>

      can set the EDITOR variable which is used to launch an editor via the edit command. Because edit just forks off a process with the command string of "<EDITOR value> <temp filename>" if the EDITOR is set to, say, rm -rf ~/, bad things can happen.

      Programs that make use of the EDITOR environment variable all operate the same way (and by that I mean, they don't check to see if the value is actually an editor...because well they can't really). I propose clearly documenting mongo is no different in this regard and to warn users to be careful that scripts they run in the shell can modify the EDITOR variable.

      Another possibility is clearing out the EDITOR JS variable after any script is run.

            Assignee:
            mark Mark porter
            Reporter:
            daniel.gottlieb@mongodb.com Daniel Gottlieb (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:
              11 years, 33 weeks, 6 days ago