Details
-
Improvement
-
Resolution: Unresolved
-
Major - P3
-
None
-
None
-
None
-
None
-
Server Security
Description
Tested on 4.4.10 and 5.0.3, same behavior. Invalid options inside a role object are silently ignored. There should be an error.
Steps to Reproduce:
The invalid option "blahblah" is silently ignored. It is not just the shell helper; the createUser database command has the same behavior when directly invoked.
Enterprise test> user = { user: "barbarbar", pwd: "foo", roles: [ {role: "readWrite", db: "test", blahblah: "foobar"} ] }
|
{
|
user: 'barbarbar',
|
pwd: 'foo',
|
roles: [ { role: 'readWrite', db: 'test', blahblah: 'foobar' } ]
|
}
|
Enterprise test> db.createUser(user)
|
{ ok: 1 }
|
Enterprise test> db.getUsers()
|
{
|
users: [
|
{
|
_id: 'test.barbarbar',
|
userId: UUID("ed815425-c913-4aba-99f2-692b2adf322e"),
|
user: 'barbarbar',
|
db: 'test',
|
roles: [ { role: 'readWrite', db: 'test' } ],
|
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
|
}
|
],
|
ok: 1
|
}
|
Enterprise test> db.runCommand( { createUser: "barfoobar", pwd: "foo", roles: user.roles } )
|
{ ok: 1 }
|
Enterprise test> db.getUsers()
|
{
|
users: [
|
{
|
_id: 'test.barbarbar',
|
userId: UUID("ed815425-c913-4aba-99f2-692b2adf322e"),
|
user: 'barbarbar',
|
db: 'test',
|
roles: [ { role: 'readWrite', db: 'test' } ],
|
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
|
},
|
{
|
_id: 'test.barfoobar',
|
userId: UUID("b418efd2-424c-4c84-92c9-5948591fdff0"),
|
user: 'barfoobar',
|
db: 'test',
|
roles: [ { role: 'readWrite', db: 'test' } ],
|
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
|
}
|
],
|
ok: 1
|
}
|
Enterprise test>
|