Go driver bson.Raw.Validate panic on zero-length BSON document

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • None
    • Go Drivers
    • None
    • None
    • None
    • None
    • None
    • None

      1. Go driver bson.Raw.Validate panic on zero-length BSON document
        1. Summary
          `bson.Raw.Validate` can panic when it is called on a malformed four-byte BSON document whose declared length is zero. At commit `ef05d4c572f9f520200c86a474274c56fb6dfdf2`, the public raw validation API forwards caller-supplied bytes into `bsoncore.Document.Validate`, which rejects negative and oversized lengths but uses a zero length to index before the start of the buffer. Applications that validate attacker-controlled raw BSON with this API can therefore turn a malformed input into a deterministic process panic instead of a validation error.
        1. Affected
      • Project: mongodb-mongo-go-driver
      • Repo: https://github.com/mongodb/mongo-go-driver
      • Pinned ref: ef05d4c572f9f520200c86a474274c56fb6dfdf2
      • Severity: CVSS 3.1 7.5/10 — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
        1. Root cause
          The vulnerable path begins at the public raw BSON validator: `bson/raw.go:34` implements `func (r Raw) Validate() (err error) { return bsoncore.Document(r).Validate() }

          `, so caller-controlled raw bytes are validated as a `bsoncore.Document`. `x/bsonx/bsoncore/bsoncore.go:721` reads the first four bytes as a signed int32 length, and the guard at `x/bsonx/bsoncore/bsoncore.go:723` rejects only negative values. A zero declared length therefore reaches `x/bsonx/bsoncore/document.go:405`, where the only document-length check rejects lengths greater than the buffer size. For a four-byte input declaring length zero, that oversized-length guard is satisfied, and `x/bsonx/bsoncore/document.go:408` evaluates `d[length-1]`, which becomes `d[-1]` and raises a Go runtime index-out-of-range panic before a BSON validation error can be returned.

        1. Reproduction
          ```bash
          bash ./poc/run.sh
          ```

      ```text
      TRIGGERED: bson.Raw.Validate panicked on malformed document length
      ```

      The `TRIGGERED:` line is emitted only by the PoC's panic recovery path after `bson.Raw.Validate` panics on the malformed zero-length document. A normal validation error, build failure, or setup problem does not print this fingerprint, so this signal indicates the vulnerable index path fired.

        1. Impact
          An unauthenticated remote client can trigger this condition when an application endpoint accepts raw BSON bytes and passes them to `bson.Raw.Validate` or an equivalent wrapper without recovering panics. The attacker needs only a four-byte buffer whose declared BSON length is zero: the input satisfies the parser's minimum requirement for reading an int32 length, bypasses the missing BSON structural minimum-length check, and is not rejected by the negative-length or oversized-length guards. The resulting effect is a deterministic Go panic in the caller process, which is a denial-of-service issue for affected embedding applications.
        1. References

        1. INT-mongodb-go-bson-zero-length-validate-panic.zip
          6 kB

            Assignee:
            Unassigned
            Reporter:
            Youngjoon Kim
            None
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: