Details
-
Bug
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
-
Major Change
-
ALL
Description
The reducer and finalizer functions both provide access to the Mongo constructor, in a way that enabled a malicious user to write to arbitrary databases on the shard server (and perhaps to perform arbitrary operations).
Coincidentally, the locking logic prevents this in the mapper, but it is not very futureproof.
A proposed solution is to restrict map reduce functions, where functions, etc. to a much narrower scope of operations.
I propose they be restricted to the following scope:
BinData
|
DBRef
|
Geo
|
HexData
|
ISODate
|
MD5
|
MaxKey
|
MinKey
|
NumberInt
|
NumberLong
|
ObjectId
|
Random
|
Timestamp
|
UUID
|
argumentsToArray
|
assert
|
compare ??
|
compareOn ??
|
doassert
|
emit
|
friendlyEqual
|
gc
|
hex_md5
|
isNumber
|
isObject
|
isString
|
print
|
printjson
|
printjsononeline
|
sleep ??
|
tojson
|
tojsonObject
|
tojsononeline
|
verify
|
version
|
As opposed to today, where they have access to the following:
print
|
version
|
load
|
gc
|
DB
|
DBCollection
|
DBQuery
|
ObjectId
|
DBRef
|
DBPointer
|
BinData
|
UUID
|
MD5
|
HexData
|
NumberLong
|
NumberInt
|
Timestamp
|
MaxKey
|
MinKey
|
hex_md5
|
sleep
|
benchRun
|
benchRunSync
|
benchStart
|
benchFinish
|
Mongo
|
_jsTestOptions
|
__quiet
|
__magicNoPrint
|
__callLastError
|
_verboseShell
|
chatty
|
friendlyEqual
|
printStackTrace
|
setVerboseShell
|
doassert
|
assert
|
verify
|
argumentsToArray
|
isString
|
isNumber
|
isObject
|
_barFormat
|
ISODate
|
compare
|
compareOn
|
tojsononeline
|
tojson
|
tojsonObject
|
shellPrint
|
printjson
|
printjsononeline
|
TestData
|
jsTestName
|
jsTestFile
|
jsTestPath
|
jsTestOptions
|
setJsTestOption
|
jsTestLog
|
jsTest
|
replSetMemberStatePrompt
|
shellPrintHelper
|
shellAutocomplete
|
shellHelper
|
Map
|
Random
|
Geo
|
rs
|
help
|
__lastres__
|
sh
|
connect
|
MR
|
MapReduceResult
|
_mongo
|
db
|
_funcs1
|
_funcs2
|
_map
|
_funcs3
|
_reduce
|
_funcs4
|
_finalize
|
_doFinal
|
emit
|
args
|
_emitCt
|
_keyCt
|
_dupCt
|
_redCt
|
_mrMap
|
_funcs5
|
_funcs6
|
_funcs7
|
_funcs8
|
return
|
____db____
|
Attachments
Issue Links
- duplicates
-
SERVER-3130 m/r map/reduce functions should not allow db access
-
- Closed
-
- related to
-
SERVER-9249 db object no longer available to mapper
-
- Closed
-
-
SERVER-9369 my join workaround has different behavior on different mongo versions
-
- Closed
-