-
Type:
Improvement
-
Status: Open
-
Priority:
Major - P3
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: features we're not sure of
-
Component/s: Security
-
Labels:None
The Security Checklist instructs users to Run MongoDB with Secure Configuration Options, such as disabling execution of JavaScript code for certain server-side operations: mapReduce, group, and $where..
Rather then instructing users to disable this feature for security reasons, we should be secure by default and force the user to enable this feature if they require it.
https://docs.mongodb.com/manual/reference/configuration-options/#security.javascriptEnabled
When disabled, you cannot use operations that perform server-side execution of JavaScript code, such as the $where query operator, mapReduce command and the db.collection.mapReduce() method, group command and the db.collection.group() method.
https://docs.mongodb.com/manual/core/server-side-javascript/
If you are using SELinux, any MongoDB operation that requires server-side JavaScript will result in segfault errors. Disable Server-Side Execution of JavaScript describes how to disable execution of server-side JavaScript.