[CDRIVER-2814] No simple way to validate a BSON document without crashing Created: 05/Sep/18  Updated: 06/Apr/23  Resolved: 06/Sep/18

Status: Closed
Project: C Driver
Component/s: libmongoc
Affects Version/s: 1.12.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Bh Sr Assignee: Kevin Albertson
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 10


Issue Links:
Related
related to CDRIVER-2701 Add example of validating BSON nestin... Closed

 Description   

If I call bson_validate() with a document with more than 500 levels of nesting, it crashes.

I had created a separate bug for insert (CDRIVER-2701) and the workaround suggested was too complicated and not very efficient. It seems strange to me that we need to validate the document before calling the validate function( whose job it is to say whether the document is valid or not) just to prevent it from crashing.

 

So in effect, bson_validate() only works on already validated documents.

 

I think this is a serious issue which needs to be fixed. I understand that there are inconsistencies in what MongoDB server does and what Extended JSON Spec says. But I think using the maximum depth of 180 like MongoDB server does is much better than letting it crash or requiring users to validate the document before calling bson_validate(). I don't think the change will make what the Extended JSON Spec any more untrue than what it is today.



 Comments   
Comment by Viacheslav Usov [ 15/Oct/18 ]

@Kevin Albertson

I find your attitude rather strange. What you say is: "since you can write your own code to do X, we are not going to fix Y in libbson". Given that BSON is an open specification of what a bunch of bytes in a region of memory means, and libbson is just a convenience you provide to deal with that, I can ALWAYS write my code to do X no matter what Y is. So you have an excellent excuse for never fixing any issues your libbson has, because hey, the user can just massage those bytes, that's not rocket science!

Fact is, your documentation states http://mongoc.org/libbson/current/parsing.html#validating-a-bson-document: If all you want to do is validate that a BSON document is valid, you can use bson_validate().

But doing so, as explained, can crash my application, possibly creating an exploitable security vulnerability. And if I start pre-validating BSON documents for this particular issue, how do I know there is no other issue I need to pre-validate for, and how can I make sure my code actually works correctly and is not a security hole in itself? And what if I am a user who does not watch your bug list and is blissfully unaware of the need to pre-validate BSON inputs to begin with?

Dismissing this bug "since you can accomplish this using bson_visitor_t" would be a very irresponsible act by libbson's maintainers.

Comment by Kevin Albertson [ 06/Sep/18 ]

Hi Bhargava,

Although it is an additional check, since you can accomplish this using bson_visitor_t we won't be changing bson_validate. Thanks for your understanding.

Comment by Bh Sr [ 05/Sep/18 ]

To be clear, it's fine if bson_validate() uses Extended JSON Spec's limit as well. I just think that the library should provide an API to check whether a BSON document is "valid" and is something that the rest of the BSON API can handle.

Generated at Wed Feb 07 21:16:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.