[SERVER-10840] injection is too easy with agg framework syntax Created: 22/Sep/13 Updated: 06/Dec/22 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Aggregation Framework, Querying, Security, Write Ops |
| Affects Version/s: | 2.5.2 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Dwight Merriman | Assignee: | Backlog - Query Optimization |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Assigned Teams: |
Query Optimization
|
||||||||||||
| Participants: | |||||||||||||
| Description |
|
The aggregation framework supports a syntax with dollar sign field name selection on the right-hand side. This creates a potential for an injection style attack analogous to sql injection. There is now a $literal operator ( Of particular importance here would be if the aggregation framework syntax migrates into the regular query syntax. Then if one failed to use $literal, it would be likely there would be a good number of apps out there with an injection vulnerability either with projection or querying. One solution would be to use a lhs rather than rhs operator e.g. : { x : "$foo" } -> } The main concern here is if this operator were to move beyond the $project operator phrases and into other things. |