Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-29014

Consider prohibiting explaining an explain

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Minor - P4
    • Resolution: Won't Fix
    • None
    • None
    • Security
    • None

    Description

      In CmdExplain::checkAuthForOperation(), we recursively check auth on the contained command. An unauthorized user could then attempt to run an explain on nested explains in an attempt to force the server to consume more resources.

      The severity of this is minor because we're mostly saved by the BSON depth limit enforced in SERVER-26703.

      Attachments

        Issue Links

          Activity

            People

              backlog-server-query Backlog - Query Team (Inactive)
              kyle.suarez@mongodb.com Kyle Suarez
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: