Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-33624

Commands which accept UUIDs do not correctly validate that the collection belongs to the database over which the command was issued

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.7.2
    • Fix Version/s: 3.7.3
    • Component/s: Catalog
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Sprint:
      Query 2018-03-12
    • Linked BF Score:
      0

      Description

      Various commands accept UUIDs to uniquely identify a collection, instead of a a collection name. However, the RPC protocol for issuing commands also requires clients to include a particular database name. If the UUID identifies a collection within a different database from the one named in the command request, the intended behavior is that the command should fail.

      This behavior was correctly implemented in 3.6, but appears to have regressed during 3.7 development. I believe the regression was caused by SERVER-32367, due to commit e5e8dde676.

      This appears to affect several commands, so I think we should audit and test all of the commands that accept UUIDs as part of the fix. Here's a repro for the find command in particular:

      (function() {
          "use strict";
       
          assert.writeOK(db.c.insert({}));
       
          let collectionInfos = db.getCollectionInfos({});
          let uuid = collectionInfos[0].info.uuid;
       
          let otherDb = db.getSisterDB("other");
          assert.commandFailed(otherDb.runCommand({find: uuid}));
      }());
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              david.storch David Storch
              Reporter:
              david.storch David Storch
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: