Incorrect error thrown when objectSize is negative

XMLWordPrintableJSON

    • Type: Sub-task
    • Resolution: Fixed
    • Priority: Unknown
    • bson-7.3.0
    • Affects Version/s: None
    • Component/s: None
    • 0
    • Not Needed
    • None
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Deserializer test that throws wrong error when objectSize is negative:

          it('throws a precise error when the scope document size field is negative', () => {
            // Craft a code_w_scope element whose scope objectSize = -1.
            //
            // The totalSize cross-check computes:
            //   4 (totalSize field) + 4 (string_size field) + stringSize + objectSize
            // With stringSize = 6 ("hello\0") and objectSize = -1:
            //   4 + 4 + 6 + (-1) = 13, which equals totalSize = 13.
            // Both inequality guards pass, and 13 also clears the minimum-length check (>= 13).
            //
            // Without the objectSize <= 0 guard the frame is created with lastIndex = _index - 1.
            // Since lastIndex is already behind the current index, the outer null terminator is
            // consumed by the scope's terminator check, which fails the exact-match (index !== lastIndex)
            // and throws 'Bad BSON Document: object not properly terminated' — pointing at the outer
            // document rather than the malformed scope size field.  The fix produces a precise error
            // from the right layer instead.
            const buf = bufferFromHexArray([
              '0f',                                    // BSON_DATA_CODE_W_SCOPE
              '6600',                                  // key 'f' + null
              int32LEToHex(13),                        // totalSize = 4+4+6+(-1) = 13
              int32LEToHex(6),                         // code string length = 6 ("hello" + null)
              '68656c6c6f00',                          // code string "hello\0"
              'ffffffff'                               // scope objectSize = -1 — the malicious value
            ]);
            expect(() => BSON.deserialize(buf)).to.throw(BSON.BSONError, 'bad scope document size');
          });
      

      Use Case

      As a... (who is this for)
      I want... (what is the desired change)
      So that... (why is the change desired)

      User Experience

      • What is the desired/expected outcome for the user once this ticket is implemented?
      • If bug: What is the number of impacted customers? How severe is the impact? Is anyone blocked or broken?

      Dependencies

      • upstream and/or downstream requirements and timelines to bear in mind

      Risks/Unknowns

      • What could go wrong while implementing this change? (e.g., performance, inadvertent behavioral changes in adjacent functionality, existing tech debt, etc)
      • Is there an opportunity for better cross-driver alignment or testing in this area?
      • Is there an opportunity to improve existing documentation on this subject?

      Acceptance Criteria

      Implementation Requirements

      • functional reqs, potential snafus to avoid, performance targets, etc

      Testing Requirements

      • unit test, spec test sync, etc

      Documentation Requirements

      • DOCSP ticket, API docs, etc

      Follow Up Requirements

      • additional tickets to file, required releases, etc
      • if node behavior differs/will differ from other drivers, confirm with dbx devs what standard to aim for and what plan, if any, exists to reconcile the diverging behavior moving forward

            Assignee:
            Pavel Safronov
            Reporter:
            Pavel Safronov
            Sergey Zelenov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: