Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-6163

value in a $literal expression can trigger an expression parse assertion causing an aggregation to fail

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Aggregation Framework
    • None

    Description

      Observed behavior: A $literal value may be parsed as a FieldPath, triggering an exception if it represents an invalid FieldPath. This will allow a $literal field supplied by a malicious user to cause an aggregation query to fail with an assertion.
      Expected behavior: A $literal value is not parsed as an expression and is handled as a string literal.

      c = db.c;
      c.drop();
      c.save( { prefix:'moon' } );
       
      // This is a safe literal.
      suffix = 'beam';
       
      printjson( c.aggregate( { $project:{ word:{ $add:[ '$prefix', { $literal:suffix } ] } } } ) );
       
      // This literal is parsed as a FieldPath with adjacent dots, which is not allowed.
      suffix = '$hine..';
       
      printjson( c.aggregate( { $project:{ word:{ $add:[ '$prefix', { $literal:suffix } ] } } } ) );

      Attachments

        Activity

          People

            matt.dannenberg Matt Dannenberg
            aaron Aaron Staple
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: