[DOCS-13734] Could we please update our documentation regarding implicit eq parameter Created: 26/Jun/20  Updated: 30/Oct/23  Resolved: 15/Sep/20

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Task Priority: Major - P3
Reporter: Boris Sieklik Assignee: Dave Cuthbert (Inactive)
Resolution: Fixed Votes: 1
Labels: docs-query, docs-security, docs-server-onboarding
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 3 years, 21 weeks, 1 day ago
Epic Link: DOCSP-11701

 Description   

Description

Hello,

During investigation of potential security issue in SECURITY-650, we have discussed how MongoDB is using implicit $eq parameter. This just the property of our query language and it makes it much simpler for hundreds of applications out there to write simple eq queries.

Practical example mentioned there was: { x: 1 } and { x: {$eq: 1} } are the same because we use implicitly use eq parameter.

 

Nevertheless, when searching the external documentation, we found that this implicit eq parameter is mentioned in our documentation, but perhaps not as clearly as it should. Examples links that we found: link1 and link2.

This may then result in some of our clients or security researchers not understanding this query language property and they may write insecure applications or incorrectly raise this as security vulnerability.

 

Therefore, I was wondering if we could please update our documentation to make it clearer that eq parameter is implicit? 

 

Please let me know if this is not the right way how to raise this or if you have any questions.

Thank you!

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Dave Cuthbert (Inactive) [ 15/Sep/20 ]

Resolved in DOCSP-10981

Comment by Ravind Kumar (Inactive) [ 26/Jun/20 ]

Thoughts:

 

  • We could note on the $eq reference page that MongoDB implicitly converts {{ {field : value}

    }} to {field : {$eq : value}}

  • Do the same on the CRUD Query examples page

At least I think that is what we mean here - that is, users can expect a simple field equality to have the same behavior as an explicit {{$eq : value }} operation.

charlie.swanson mentioned here that there are some differences in implicit equality vs explicit $eq. I think we'll need to dig into these and validate any and all differences there might be and document those on the $eq page. Maybe something like "Implicit vs Explicit Equality Behavior"

 

Generated at Thu Feb 08 08:08:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.