Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-29014

Consider prohibiting explaining an explain

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Icon: Minor - P4 Minor - P4
    • None
    • None
    • Security
    • None
    • Query

    Description

      In CmdExplain::checkAuthForOperation(), we recursively check auth on the contained command. An unauthorized user could then attempt to run an explain on nested explains in an attempt to force the server to consume more resources.

      The severity of this is minor because we're mostly saved by the BSON depth limit enforced in SERVER-26703.

      Attachments

        Activity

          People

            backlog-server-query Backlog - Query Team (Inactive)
            kyle.suarez@mongodb.com Kyle Suarez
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: