Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-29014

Consider prohibiting explaining an explain

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Query

      In CmdExplain::checkAuthForOperation(), we recursively check auth on the contained command. An unauthorized user could then attempt to run an explain on nested explains in an attempt to force the server to consume more resources.

      The severity of this is minor because we're mostly saved by the BSON depth limit enforced in SERVER-26703.

            Assignee:
            backlog-server-query Backlog - Query Team (Inactive)
            Reporter:
            kyle.suarez@mongodb.com Kyle Suarez
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: