[SERVER-10840] injection is too easy with agg framework syntax Created: 22/Sep/13  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Aggregation Framework, Querying, Security, Write Ops
Affects Version/s: 2.5.2
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Dwight Merriman Assignee: Backlog - Query Optimization
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-55509 {example: /regex/} and {example: {$eq... Backlog
related to SERVER-5782 need a $literal operator to help prev... Closed
Assigned Teams:
Query Optimization
Participants:

 Description   

The aggregation framework supports a syntax with dollar sign field name selection on the right-hand side. This creates a potential for an injection style attack analogous to sql injection.

There is now a $literal operator (SERVER-5782). However the claim of this ticket is that that isn't sufficient. It does solve an issue – you can use dollar signs in literals – but doesn't really solve the injection issue. The client side if smart enough always to use $literal could just as easily look for leading dollar signs instead for example.

Of particular importance here would be if the aggregation framework syntax migrates into the regular query syntax. Then if one failed to use $literal, it would be likely there would be a good number of apps out there with an injection vulnerability either with projection or querying.

One solution would be to use a lhs rather than rhs operator e.g. :

{ x : "$foo" }

->
{ x :

{ $get : "foo" }

}

The main concern here is if this operator were to move beyond the $project operator phrases and into other things.


Generated at Thu Feb 08 03:24:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.