Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-31203

Disable server-side execution of JavaScript code by default

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Major - P3
    • Resolution: Unresolved
    • None
    • Security
    • None

    Description

      The Security Checklist instructs users to Run MongoDB with Secure Configuration Options, such as disabling execution of JavaScript code for certain server-side operations: mapReduce, group, and $where..

      Rather then instructing users to disable this feature for security reasons, we should be secure by default and force the user to enable this feature if they require it.

      https://docs.mongodb.com/manual/reference/configuration-options/#security.javascriptEnabled

      When disabled, you cannot use operations that perform server-side execution of JavaScript code, such as the $where query operator, mapReduce command and the db.collection.mapReduce() method, group command and the db.collection.group() method.

      https://docs.mongodb.com/manual/core/server-side-javascript/

      If you are using SELinux, any MongoDB operation that requires server-side JavaScript will result in segfault errors. Disable Server-Side Execution of JavaScript describes how to disable execution of server-side JavaScript.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            bjori Hannes Magnusson
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated: