-
Type:
New Feature
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: Aggregation Framework
-
None
-
None
-
3
-
None
-
None
-
None
-
None
-
None
-
None
If an application constructs an aggregation pipeline using data obtained from the user, it is possible for that data to affect the result in unexpected ways. Here's a simple example using the mongo shell:
// projection includes a computed value var x = "$author"; var i1 = db.runCommand( { aggregate : "article", pipeline : [ { $project : { author : 1, daveWroteIt : { $eq:["$author", x] } }} ]});
The author of the code probably meant for x to be the name of a user or a query parameter supplied by the application. But if the user arranges to supply a string value that begins with a '$', it will be interpreted as a field reference. For the example above, x = '$author' causes $eq to be true for every document (compare with x = 'dave').
To make it possible to construct such pipelines dynamically, we should provide a $literal operator whose value cannot be interpreted as a field reference. For example:
var x = "$author"; var i2 = db.runCommand( { aggregate : "article", pipeline : [ { $project : { author : 1, daveWroteIt : { $eq:["$author", { $literal: x } ] } }} ]});
This can be used to safely construct pipelines w/o fear of a user injecting a value that could be interpreted as anything other than a literal.
- is depended on by
-
-
- Closed
-
- is duplicated by
-
SERVER-5991 $project does not allow creation of a new field with literal value
-
- Closed
-
-
-
- Closed
-
- is related to
-
-
- Closed
-
-
SERVER-10840 injection is too easy with agg framework syntax
-
- Backlog
-
-
SERVER-3859 aggregation: if future updates use the aggregation expression syntax, are injection attacks a danger?
-
- Closed
-