[DOCS-13734] Could we please update our documentation regarding implicit eq parameter Created: 26/Jun/20 Updated: 30/Oct/23 Resolved: 15/Sep/20 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual, Server |
| Affects Version/s: | None |
| Fix Version/s: | Server_Docs_20231030 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Boris Sieklik | Assignee: | Dave Cuthbert (Inactive) |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | docs-query, docs-security, docs-server-onboarding | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Participants: | |||||
| Days since reply: | 3 years, 21 weeks, 1 day ago | ||||
| Epic Link: | DOCSP-11701 | ||||
| Description |
DescriptionHello, During investigation of potential security issue in SECURITY-650, we have discussed how MongoDB is using implicit $eq parameter. This just the property of our query language and it makes it much simpler for hundreds of applications out there to write simple eq queries. Practical example mentioned there was: { x: 1 } and { x: {$eq: 1} } are the same because we use implicitly use eq parameter.
Nevertheless, when searching the external documentation, we found that this implicit eq parameter is mentioned in our documentation, but perhaps not as clearly as it should. Examples links that we found: link1 and link2. This may then result in some of our clients or security researchers not understanding this query language property and they may write insecure applications or incorrectly raise this as security vulnerability.
Therefore, I was wondering if we could please update our documentation to make it clearer that eq parameter is implicit?
Please let me know if this is not the right way how to raise this or if you have any questions. Thank you! Scope of changesImpact to Other DocsMVP (Work and Date)Resources (Scope or Design Docs, Invision, etc.) |
| Comments |
| Comment by Dave Cuthbert (Inactive) [ 15/Sep/20 ] |
|
Resolved in DOCSP-10981 |
| Comment by Ravind Kumar (Inactive) [ 26/Jun/20 ] |
|
Thoughts:
At least I think that is what we mean here - that is, users can expect a simple field equality to have the same behavior as an explicit {{$eq : value }} operation. charlie.swanson mentioned here that there are some differences in implicit equality vs explicit $eq. I think we'll need to dig into these and validate any and all differences there might be and document those on the $eq page. Maybe something like "Implicit vs Explicit Equality Behavior"
|