Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8104

MapReduce on Sharded System Can Bypass Auth Checks

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.4.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Major Change
    • ALL

      The reducer and finalizer functions both provide access to the Mongo constructor, in a way that enabled a malicious user to write to arbitrary databases on the shard server (and perhaps to perform arbitrary operations).

      Coincidentally, the locking logic prevents this in the mapper, but it is not very futureproof.

      A proposed solution is to restrict map reduce functions, where functions, etc. to a much narrower scope of operations.

      I propose they be restricted to the following scope:

      BinData
      DBRef
      Geo
      HexData
      ISODate
      MD5
      MaxKey
      MinKey
      NumberInt
      NumberLong
      ObjectId
      Random
      Timestamp
      UUID
      argumentsToArray
      assert
      compare ??
      compareOn ??
      doassert
      emit
      friendlyEqual
      gc
      hex_md5
      isNumber
      isObject
      isString
      print
      printjson
      printjsononeline
      sleep ??
      tojson
      tojsonObject
      tojsononeline
      verify
      version
      

      As opposed to today, where they have access to the following:

      print
      version
      load
      gc
      DB
      DBCollection
      DBQuery
      ObjectId
      DBRef
      DBPointer
      BinData
      UUID
      MD5
      HexData
      NumberLong
      NumberInt
      Timestamp
      MaxKey
      MinKey
      hex_md5
      sleep
      benchRun
      benchRunSync
      benchStart
      benchFinish
      Mongo
      _jsTestOptions
      __quiet
      __magicNoPrint
      __callLastError
      _verboseShell
      chatty
      friendlyEqual
      printStackTrace
      setVerboseShell
      doassert
      assert
      verify
      argumentsToArray
      isString
      isNumber
      isObject
      _barFormat
      ISODate
      compare
      compareOn
      tojsononeline
      tojson
      tojsonObject
      shellPrint
      printjson
      printjsononeline
      TestData
      jsTestName
      jsTestFile
      jsTestPath
      jsTestOptions
      setJsTestOption
      jsTestLog
      jsTest
      replSetMemberStatePrompt
      shellPrintHelper
      shellAutocomplete
      shellHelper
      Map
      Random
      Geo
      rs
      help
      __lastres__
      sh
      connect
      MR
      MapReduceResult
      _mongo
      db
      _funcs1
      _funcs2
      _map
      _funcs3
      _reduce
      _funcs4
      _finalize
      _doFinal
      emit
      args
      _emitCt
      _keyCt
      _dupCt
      _redCt
      _mrMap
      _funcs5
      _funcs6
      _funcs7
      _funcs8
      return
      ____db____
      

        1. authmr.js
          3 kB
          Andy Schwerin

            Assignee:
            benjamin.becker Ben Becker
            Reporter:
            schwerin@mongodb.com Andy Schwerin
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: