Details
-
New Feature
-
Status: Closed
-
Major - P3
-
Resolution: Fixed
-
None
-
None
Description
If an application constructs an aggregation pipeline using data obtained from the user, it is possible for that data to affect the result in unexpected ways. Here's a simple example using the mongo shell:
// projection includes a computed value
|
var x = "$author";
|
|
var i1 = db.runCommand(
|
{ aggregate : "article", pipeline : [
|
{ $project : {
|
author : 1,
|
daveWroteIt : { $eq:["$author", x] }
|
}}
|
]});
|
The author of the code probably meant for x to be the name of a user or a query parameter supplied by the application. But if the user arranges to supply a string value that begins with a '$', it will be interpreted as a field reference. For the example above, x = '$author' causes $eq to be true for every document (compare with x = 'dave').
To make it possible to construct such pipelines dynamically, we should provide a $literal operator whose value cannot be interpreted as a field reference. For example:
var x = "$author";
|
|
var i2 = db.runCommand(
|
{ aggregate : "article", pipeline : [
|
{ $project : {
|
author : 1,
|
daveWroteIt : { $eq:["$author", { $literal: x } ] }
|
}}
|
]});
|
This can be used to safely construct pipelines w/o fear of a user injecting a value that could be interpreted as anything other than a literal.
Attachments
Issue Links
- is depended on by
-
CSHARP-792 support new aggregation pipeline operators
-
- Closed
-
- is duplicated by
-
SERVER-5991 $project does not allow creation of a new field with literal value
-
- Closed
-
-
SERVER-3864 aggregation: support stuttered $ syntax for literals that begin w/a $ in expressions
-
- Closed
-
- is related to
-
SERVER-3864 aggregation: support stuttered $ syntax for literals that begin w/a $ in expressions
-
- Closed
-
-
SERVER-10840 injection is too easy with agg framework syntax
-
- Backlog
-
-
SERVER-3859 aggregation: if future updates use the aggregation expression syntax, are injection attacks a danger?
-
- Closed
-