Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-18046

security.javascriptEnabled allows aggregation with $group stage

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.6.5
    • Component/s: JavaScript, Security
    • Labels:
      None
    • ALL
    • Hide

      Set javascriptEnabled to false, restart all servers in replica set, and try to execute a JS job.

      Show
      Set javascriptEnabled to false, restart all servers in replica set, and try to execute a JS job.

      Hi all !

      I'm currently using MongoDB from EPEL7 repos (version 2.6.5) and on RHEL7 (replica set deployment). I've changed the default configuration file to switch to the YAML format and set the "javascriptEnabled" to false, which seems to have no effect.

      From mongod logs, I checked that parameter is read :

      2015-04-01T15:57:42.800+0200 [initandlisten] options: { command: [ "run" ], config: "/etc/mongodb.conf", net: { bindIp: "10.33.48.29,127.0.0.1", port: 27017 }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid" }, replication: { oplogSizeMB: 10240, replSetName: "rs0" }, security: { authorization: "enabled", javascriptEnabled: false, keyFile: "/var/lib/mongodb/mongod-key" }, storage: { dbPath: "/var/lib/mongodb", directoryPerDB: true, journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongodb.log", quiet: true } }

      Then, we tried this JS function :

      db.client.aggregate({$group: {
    _id : '$name',
    total : { $sum : 1 }
   }
 })

      and got a result.

            Assignee:
            Unassigned Unassigned
            Reporter:
            sboulkour Salim B.
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: