Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-5782

need a $literal operator to help prevent injection attacks

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.2
    • Component/s: Aggregation Framework
    • Labels:
      None

      Description

      If an application constructs an aggregation pipeline using data obtained from the user, it is possible for that data to affect the result in unexpected ways. Here's a simple example using the mongo shell:

      // projection includes a computed value
      var x = "$author";
       
      var i1 = db.runCommand(
      { aggregate : "article", pipeline : [
          { $project : {
              author : 1,
              daveWroteIt : { $eq:["$author", x] }
          }}
      ]});

      The author of the code probably meant for x to be the name of a user or a query parameter supplied by the application. But if the user arranges to supply a string value that begins with a '$', it will be interpreted as a field reference. For the example above, x = '$author' causes $eq to be true for every document (compare with x = 'dave').

      To make it possible to construct such pipelines dynamically, we should provide a $literal operator whose value cannot be interpreted as a field reference. For example:

      var x = "$author";
       
      var i2 = db.runCommand(
      { aggregate : "article", pipeline : [
          { $project : {
              author : 1,
              daveWroteIt : { $eq:["$author", { $literal: x } ] }
          }}
      ]});

      This can be used to safely construct pipelines w/o fear of a user injecting a value that could be interpreted as anything other than a literal.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: