Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-5782

need a $literal operator to help prevent injection attacks

    • Type: Icon: New Feature New Feature
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.5.2
    • Affects Version/s: None
    • Component/s: Aggregation Framework
    • Labels:

      If an application constructs an aggregation pipeline using data obtained from the user, it is possible for that data to affect the result in unexpected ways. Here's a simple example using the mongo shell:

      // projection includes a computed value
      var x = "$author";
      var i1 = db.runCommand(
      { aggregate : "article", pipeline : [
          { $project : {
              author : 1,
              daveWroteIt : { $eq:["$author", x] }

      The author of the code probably meant for x to be the name of a user or a query parameter supplied by the application. But if the user arranges to supply a string value that begins with a '$', it will be interpreted as a field reference. For the example above, x = '$author' causes $eq to be true for every document (compare with x = 'dave').

      To make it possible to construct such pipelines dynamically, we should provide a $literal operator whose value cannot be interpreted as a field reference. For example:

      var x = "$author";
      var i2 = db.runCommand(
      { aggregate : "article", pipeline : [
          { $project : {
              author : 1,
              daveWroteIt : { $eq:["$author", { $literal: x } ] }

      This can be used to safely construct pipelines w/o fear of a user injecting a value that could be interpreted as anything other than a literal.

            matt.dannenberg Matt Dannenberg
            dan@mongodb.com Daniel Pasette (Inactive)
            1 Vote for this issue
            6 Start watching this issue