Details
Major - P3 Description
It is possible to "abuse" the BSONArrayBuilder/BSONObjBuilder interface by creating BSONArrayBuilder 'a', appending to it, calling doneFast(), creating builder 'b', and then using 'a' again. This misuse results in an object being created that looks very different from what the caller intended:
TEST(BSONObjBuilderTest, BadUseTest) {
|
BSONObjBuilder root;
|
|
BSONArrayBuilder array1(root.subobjStart("arr1")); |
|
array1.append(3); |
array1.doneFast();
|
|
BSONArrayBuilder array2(root.subobjStart("arr2")); |
|
// Notice how we're using 'array1' here. It'd be nice if this tripped an invariant or something. |
array1.append(4); |
|
array2.doneFast();
|
|
// This "just works" even though it doesn't produce the object you'd expect. |
auto obj = root.done();
|
|
// ... later someone tries to use the object. |
|
std::cout << obj << std::endl;
|
// Kind of a strange object, and clearly not what was intended: |
// { arr1: { 0: 3 }, arr2: { 1: 4 } } |
}
|
It'd be nice if we could make some "best effort" to invariant/fail when BSONObjBuilder is misused in this way.
An example of such mis-use in our actual codebase is SERVER-60909.
Attachments
Issue Links
- is related to
-
SERVER-60909 Incorrect use of BSONObjBuilder in mongos explain
-
- Closed
-