[CDRIVER-2814] No simple way to validate a BSON document without crashing Created: 05/Sep/18 Updated: 06/Apr/23 Resolved: 06/Sep/18 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | libmongoc |
| Affects Version/s: | 1.12.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Bh Sr | Assignee: | Kevin Albertson |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Windows 10 |
||
| Issue Links: |
|
||||||||
| Description |
|
If I call bson_validate() with a document with more than 500 levels of nesting, it crashes. I had created a separate bug for insert (
So in effect, bson_validate() only works on already validated documents.
I think this is a serious issue which needs to be fixed. I understand that there are inconsistencies in what MongoDB server does and what Extended JSON Spec says. But I think using the maximum depth of 180 like MongoDB server does is much better than letting it crash or requiring users to validate the document before calling bson_validate(). I don't think the change will make what the Extended JSON Spec any more untrue than what it is today. |
| Comments |
| Comment by Viacheslav Usov [ 15/Oct/18 ] |
|
@Kevin Albertson I find your attitude rather strange. What you say is: "since you can write your own code to do X, we are not going to fix Y in libbson". Given that BSON is an open specification of what a bunch of bytes in a region of memory means, and libbson is just a convenience you provide to deal with that, I can ALWAYS write my code to do X no matter what Y is. So you have an excellent excuse for never fixing any issues your libbson has, because hey, the user can just massage those bytes, that's not rocket science! Fact is, your documentation states http://mongoc.org/libbson/current/parsing.html#validating-a-bson-document: If all you want to do is validate that a BSON document is valid, you can use bson_validate(). But doing so, as explained, can crash my application, possibly creating an exploitable security vulnerability. And if I start pre-validating BSON documents for this particular issue, how do I know there is no other issue I need to pre-validate for, and how can I make sure my code actually works correctly and is not a security hole in itself? And what if I am a user who does not watch your bug list and is blissfully unaware of the need to pre-validate BSON inputs to begin with? Dismissing this bug "since you can accomplish this using bson_visitor_t" would be a very irresponsible act by libbson's maintainers. |
| Comment by Kevin Albertson [ 06/Sep/18 ] |
|
Hi Bhargava, Although it is an additional check, since you can accomplish this using bson_visitor_t we won't be changing bson_validate. Thanks for your understanding. |
| Comment by Bh Sr [ 05/Sep/18 ] |
|
To be clear, it's fine if bson_validate() uses Extended JSON Spec's limit as well. I just think that the library should provide an API to check whether a BSON document is "valid" and is something that the rest of the BSON API can handle. |