[DOCS-328] A (malicious) JS script can set EDITOR to an unsafe value Created: 06/Jul/12  Updated: 30/Oct/23  Resolved: 13/Sep/12

Status: Closed
Project: Documentation
Component/s: Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Task Priority: Trivial - P5
Reporter: Daniel Gottlieb (Inactive) Assignee: Mark porter
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Linux


Issue Links:
Related
related to SERVER-3787 'edit' command in shell Closed
is related to DOCS-79 Document Security and Authentication Closed
Participants:
Days since reply: 11 years, 22 weeks, 6 days ago

 Description   

Running a JS script with

mongo --shell <malicious_script.js>

can set the EDITOR variable which is used to launch an editor via the edit command. Because edit just forks off a process with the command string of "<EDITOR value> <temp filename>" if the EDITOR is set to, say, rm -rf ~/, bad things can happen.

Programs that make use of the EDITOR environment variable all operate the same way (and by that I mean, they don't check to see if the value is actually an editor...because well they can't really). I propose clearly documenting mongo is no different in this regard and to warn users to be careful that scripts they run in the shell can modify the EDITOR variable.

Another possibility is clearing out the EDITOR JS variable after any script is run.



 Comments   
Comment by Mark porter [ 13/Sep/12 ]

Working as designed.

Comment by Mark porter [ 13/Sep/12 ]

samk Just wondering are you proposing that this statement is included in DOCS-79? I think that this is working as designed and its mention in documentation will add confusion. I thought the understanding of the danger of having a malicious javascript called by 'eval' would have been a given.

Comment by Daniel Gottlieb (Inactive) [ 08/Jul/12 ]

I didn't call it a bug! I was really just proposing one sentence of documentation that reinforces mongo shell scripts are no more secure than other scripts a developer may run. Maybe scripts potentially being malicious is as common knowledge as we hope it should be, but I'm not sure if people make the connection that mongo/javascript can invoke shell commands like any other language. The EDITOR variable being yet another (albeit circuitous) avenue of exploitation. I'm not proposing a redesign of the actual function.

Comment by Andy Schwerin [ 08/Jul/12 ]

I'm pretty sure this isn't a security bug. I don't see how it's different from letting a user execute a mongo shell program that forks a "rm -rf" subprocess, or for that matter, running a python or shell script that runs the equivalent of rm -rf.

Generated at Thu Feb 08 07:38:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.