[DOCS-328] A (malicious) JS script can set EDITOR to an unsafe value Created: 06/Jul/12 Updated: 30/Oct/23 Resolved: 13/Sep/12 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | Server |
| Affects Version/s: | None |
| Fix Version/s: | Server_Docs_20231030 |
| Type: | Task | Priority: | Trivial - P5 |
| Reporter: | Daniel Gottlieb (Inactive) | Assignee: | Mark porter |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Linux |
||
| Issue Links: |
|
||||||||||||
| Participants: | |||||||||||||
| Days since reply: | 11 years, 22 weeks, 6 days ago | ||||||||||||
| Description |
|
Running a JS script with
Programs that make use of the EDITOR environment variable all operate the same way (and by that I mean, they don't check to see if the value is actually an editor...because well they can't really). I propose clearly documenting mongo is no different in this regard and to warn users to be careful that scripts they run in the shell can modify the EDITOR variable. Another possibility is clearing out the EDITOR JS variable after any script is run. |
| Comments |
| Comment by Mark porter [ 13/Sep/12 ] |
|
Working as designed. |
| Comment by Mark porter [ 13/Sep/12 ] |
|
samk Just wondering are you proposing that this statement is included in |
| Comment by Daniel Gottlieb (Inactive) [ 08/Jul/12 ] |
|
I didn't call it a bug! I was really just proposing one sentence of documentation that reinforces mongo shell scripts are no more secure than other scripts a developer may run. Maybe scripts potentially being malicious is as common knowledge as we hope it should be, but I'm not sure if people make the connection that mongo/javascript can invoke shell commands like any other language. The EDITOR variable being yet another (albeit circuitous) avenue of exploitation. I'm not proposing a redesign of the actual function. |
| Comment by Andy Schwerin [ 08/Jul/12 ] |
|
I'm pretty sure this isn't a security bug. I don't see how it's different from letting a user execute a mongo shell program that forks a "rm -rf" subprocess, or for that matter, running a python or shell script that runs the equivalent of rm -rf. |