[CSHARP-3080] Fix possible nosql injection Created: 28/Apr/20  Updated: 13/Jul/20  Resolved: 13/Jul/20

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Vincent Kam (Inactive) Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related

 Description   

Description from contributor PR: https://github.com/mongodb/mongo-csharp-driver/pull/401

You can make any comparsion by an equal operator if you compare to BsonDocument for example:

Example

IMongoCollection<BsonDocument> collection;
var value = new BsonDocument { { "$gt", 3 } };
var query = collection.Find(x => x["field"] == value);
 
//it will execute:
//find({ "field" : { "$gt" : 3 } })

I think it can cause security vulnerability for unaware developer, who trust, that equal operator always will test for equality:

public List<BsonDocument> GetObjectByUser(IMongoCollection<BsonDocument> collection, BsonValue data)
{
	return collection.Find(x => x["userId"] == data["userId"]).ToList();
}
public void Attack(IMongoCollection<BsonDocument> collection)
{
	var data = GetObjectByUser(collection, new BsonDocument { { "userId", new BsonDocument { { "$ne", ObjectId.Empty } } } });
}



 Comments   
Comment by Esha Bhargava [ 13/Jul/20 ]

See comment on the associated pull request.

Generated at Wed Feb 07 21:44:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.