Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-27194

Views should require both "viewOn" and "pipeline" to be specified if modifying view when auth is enabled

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.4.0-rc5
    • Fix Version/s: 3.4.1, 3.5.1
    • Component/s: Security
    • Labels:
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:
    • Steps To Reproduce:
      Hide

      Launch mongod with --auth, then do

      assert.commandWorked(db.createView("view", "collection", [{ $match: { team: "query" } }] ));
      assert.commandWorked(db.runCommand( { collMod: "view", pipeline: [{ $sort: { team: -1 } }] } ));
      

      Show
      Launch mongod with --auth , then do assert.commandWorked(db.createView( "view" , "collection" , [{ $match: { team: "query" } }] )); assert.commandWorked(db.runCommand( { collMod: "view" , pipeline: [{ $sort: { team: -1 } }] } ));
    • Sprint:
      Query 2016-12-12

      Description

      When auth is enabled, we should force users to specify both "viewOn" and "pipeline". This prevents users from reading sensitive information in the original "viewOn" by only changing "pipeline", or by exposing more information via lookup in the original "pipeline" by only changing "viewOn".

      Original Description

      In AuthorizationSession::checkAuthForCreateOrModifyView(), we construct a NamespaceString on the "viewOn" field of the command object, to make sure that the user has read privileges on that namespace. However, a user can validly collMod an existing view without specifying a new "viewOn". Because the authorization code always expects "viewOn" to be a field, this scenario causes an exception to be thrown.

      The correct behavior would be to first check if cmdObj["viewOn"] exists; if it does not, simply skip the call to checkAuthForAggregate().

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: