value in a $literal expression can trigger an expression parse assertion causing an aggregation to fail

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Won't Fix
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Aggregation Framework
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Observed behavior: A $literal value may be parsed as a FieldPath, triggering an exception if it represents an invalid FieldPath. This will allow a $literal field supplied by a malicious user to cause an aggregation query to fail with an assertion.
      Expected behavior: A $literal value is not parsed as an expression and is handled as a string literal.

      c = db.c;
c.drop();
c.save( { prefix:'moon' } );

// This is a safe literal.
suffix = 'beam';

printjson( c.aggregate( { $project:{ word:{ $add:[ '$prefix', { $literal:suffix } ] } } } ) );

// This literal is parsed as a FieldPath with adjacent dots, which is not allowed.
suffix = '$hine..';

printjson( c.aggregate( { $project:{ word:{ $add:[ '$prefix', { $literal:suffix } ] } } } ) );

            Assignee:
            Matt Dannenberg (Inactive)
            Reporter:
            Aaron Staple (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: