Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-85849

Skip query settings application on internal collections

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 8.0.0-rc0
    • None
    • None
    • Fully Compatible
    • QE 2024-02-05

    Description

      Currently there are guards in place to prevent query settings from being applied on id hack queries, and queries containing encryption information. We should extend those guards to also include queries targeting internal collections to prevent potential unwanted edge-cases / attack vectors. 

       

      Since users will be able to set query settings via hash as well, we would need to add validation in two places:

      • query settings being set via query

      Here we can just throw a user friendly message, stating that setting query settings on internal collections is forbidden

      • query settings lookup

      We will avoid performing query settings lookup, if query involves internal collections

      Attachments

        Activity

          People

            james.harrison@mongodb.com James Harrison
            catalin.sumanaru@mongodb.com Catalin Sumanaru
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: