Details
-
Improvement
-
Resolution: Won't Fix
-
Major - P3
-
None
-
None
-
None
Description
Observed behavior: A $literal value may be parsed as a FieldPath, triggering an exception if it represents an invalid FieldPath. This will allow a $literal field supplied by a malicious user to cause an aggregation query to fail with an assertion.
Expected behavior: A $literal value is not parsed as an expression and is handled as a string literal.
c = db.c;
|
c.drop();
|
c.save( { prefix:'moon' } );
|
|
|
// This is a safe literal.
|
suffix = 'beam';
|
|
|
printjson( c.aggregate( { $project:{ word:{ $add:[ '$prefix', { $literal:suffix } ] } } } ) );
|
|
|
// This literal is parsed as a FieldPath with adjacent dots, which is not allowed.
|
suffix = '$hine..';
|
|
|
printjson( c.aggregate( { $project:{ word:{ $add:[ '$prefix', { $literal:suffix } ] } } } ) );
|