Details
-
Task
-
Resolution: Unresolved
-
Major - P3
-
None
-
None
-
None
-
None
-
Server Security
-
Security 2024-01-22, Security 2024-02-05, Security 2024-02-19
-
135
Description
Currently, we have a lot of calls to cc() hidden in our Authentication and Authorization subsystem. However, in this system we should always be operating within a client and operation context, which means we should have the pointer to it somewhere above in the stack. Calling cc() seems like a byproduct of poor design, so we should audit calls to cc() within authz/n and ensure that we are passing a client or opCtx down whenever necessary.