Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20362

JS Scopes may leak between synthetic users with '@' in name and database

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.1.7
    • Fix Version/s: 4.3.1
    • Component/s: JavaScript
    • Labels:
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      Create two users:
      The first shall be named 'x@y' and will exist on 'z'.
      The second shall be named 'x' and will exist on 'y@z'.

      In window 1:

      > use z
      switched to db z
      > db.createUser({user: "x@y", pwd: "pwd", roles: []})
      Successfully added user: { "user" : "x@y", "roles" : [ ] }
      > db.auth("x@y", "pwd")
      1
      > use dbx
      switched to db dbx
      

      In window 2:

      > use y@z
      switched to db y@z
      > db.createUser({user: "x", pwd: "pwd", roles: []})
      Successfully added user: { "user" : "x", "roles" : [ ] }
      > db.auth("x", "pwd")
      2015-09-10T17:51:49.902-0400 I ACCESS   [conn1] Successfully authenticated as principal x on y@z
      1
      > use dbx
      switched to db dbx
      > db.col.insert({})
      WriteResult({ "nInserted" : 1 })
      > db.col.find({$where: "globalThing = \"B\"; return true"})
      

      Back in the first window:

      db.col.find({$where: "print(globalThing); globalThing = \"A\"; return true"})
      

      Mongod will print "B".

      Show
      Create two users: The first shall be named 'x@y' and will exist on 'z'. The second shall be named 'x' and will exist on 'y@z'. In window 1: > use z switched to db z > db.createUser({user: "x@y", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x@y", "roles" : [ ] } > db.auth("x@y", "pwd") 1 > use dbx switched to db dbx In window 2: > use y@z switched to db y@z > db.createUser({user: "x", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x", "roles" : [ ] } > db.auth("x", "pwd") 2015-09-10T17:51:49.902-0400 I ACCESS [conn1] Successfully authenticated as principal x on y@z 1 > use dbx switched to db dbx > db.col.insert({}) WriteResult({ "nInserted" : 1 }) > db.col.find({$where: "globalThing = \"B\"; return true"}) Back in the first window: db.col.find({$where: "print(globalThing); globalThing = \"A\"; return true"}) Mongod will print "B".
    • Sprint:
      Security 15 (06/03/16), Security 2020-02-10, Security 2020-02-24

      Description

      The ScopePool identifies the scope it should acquire from its map by creating a key with the following structure:

      <db><JSOperation>[\0<user>@<db>]
      

      As '@' is a legal character in both <user> and <db>, it is possible to construct two users so as to cause a collision.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sara.golemon Sara Golemon
              Reporter:
              spencer.jackson Spencer Jackson
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: