Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-5782

need a $literal operator to help prevent injection attacks

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 2.5.2
    • Aggregation Framework
    • None

    Description

      If an application constructs an aggregation pipeline using data obtained from the user, it is possible for that data to affect the result in unexpected ways. Here's a simple example using the mongo shell:

      // projection includes a computed value
      var x = "$author";
       
      var i1 = db.runCommand(
      { aggregate : "article", pipeline : [
          { $project : {
              author : 1,
              daveWroteIt : { $eq:["$author", x] }
          }}
      ]});

      The author of the code probably meant for x to be the name of a user or a query parameter supplied by the application. But if the user arranges to supply a string value that begins with a '$', it will be interpreted as a field reference. For the example above, x = '$author' causes $eq to be true for every document (compare with x = 'dave').

      To make it possible to construct such pipelines dynamically, we should provide a $literal operator whose value cannot be interpreted as a field reference. For example:

      var x = "$author";
       
      var i2 = db.runCommand(
      { aggregate : "article", pipeline : [
          { $project : {
              author : 1,
              daveWroteIt : { $eq:["$author", { $literal: x } ] }
          }}
      ]});

      This can be used to safely construct pipelines w/o fear of a user injecting a value that could be interpreted as anything other than a literal.

      Attachments

        Issue Links

          Activity

            People

              matt.dannenberg Matt Dannenberg
              dan@mongodb.com Daniel Pasette (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: