[SERVER-11015] REST queries on documents containing javascript content returns incorrect JSON Created: 03/Oct/13  Updated: 11/Jul/16  Resolved: 20/Dec/13

Status: Closed
Project: Core Server
Component/s: HTTP Console, Internal Code
Affects Version/s: 2.4.3
Fix Version/s: 2.5.5

Type: Bug Priority: Critical - P2
Reporter: David Regnier Assignee: Shaun Verch
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

platform independant


Attachments: Text File json_profiles.json.txt    
Issue Links:
Related
related to SERVER-11868 Strict JSON escaping Closed
Operating System: ALL
Steps To Reproduce:

Issue reproduced via this specific use case:

1/ enable REST on the database
2/ create a database (let's say "demo")
3/ enable profiling on this database (level 2 to profile everything)
4/ execute a javascript file on the database

Arbitrary example:

var i = 0;
while(i<1){
db.runCommand( {
eval: function(name, incAmount) {
var doc =

{ name : name , num : 0 , total : 0 , avg : incAmount }

;
db.collection1.save( doc );
return doc;
},
args: [ "eliot", i ]
}
);
i++;
}

5/ do a REST query on the "system.profile" collection for "demo"

(for example: http://localhost:28017/demo/system.profile/)

Resulting JSON is incorrect (javascript command is not escaped)

See attached file "json_profiles.json".

Participants:

 Description   

If the content of a JSON document value is javascript, the result of a query via the REST interface does not escape this javascript content.
Resulting content is not correct JSON.

(tested via a query on "system.profiles" collection -> profiles having commands with javascript content).



 Comments   
Comment by Githook User [ 20/Dec/13 ]

Author:

{u'username': u'Zarkantho', u'name': u'Shaun Verch', u'email': u'shaun.verch@10gen.com'}

Message: SERVER-11015 Properly quote and escape javascript code in JSON output
Branch: master
https://github.com/mongodb/mongo/commit/82e1fdc81552c4c1da18a129287ac4eef03d9310

Comment by Shaun Verch [ 30/Oct/13 ]

This is an also an issue for mongoexport since it's an issue with how we convert the BSON code type to JSON.

$ ./mongoexport --db test --collection test
connected to: 127.0.0.1
{ "_id" : { "$oid" : "52712e8e71728cb2832b489b" }, "script" : function () { var x = "foo"; } }
exported 1 records

Comment by Shaun Verch [ 30/Oct/13 ]

Reproduced and confirmed:

> db.test.insert({"script":function () { var x = "foo"; } })

$ wget localhost:28017/test/test/ -O -
--2013-10-30 12:07:25--  http://localhost:28017/test/test/
Resolving localhost... ::1, 127.0.0.1, fe80::1
Connecting to localhost|::1|:28017... failed: Connection refused.
Connecting to localhost|127.0.0.1|:28017... connected.
HTTP request sent, awaiting response... 200 OK
Length: 190 [text/plain]
Saving to: ‘STDOUT’
 
 0% [                                                                                                                                         ] 0           --.-K/s              {
  "offset" : 0,
  "rows": [
    { "_id" : { "$oid" : "52712e8e71728cb2832b489b" }, "script" : function () { var x = "foo"; } }
  ],
 
  "total_rows" : 1 ,
  "query" : {} ,
  "millis" : 0
}
100%[========================================================================================================================================>] 190         --.-K/s   in 0s
 
2013-10-30 12:07:25 (45.3 MB/s) - written to stdout [190/190]

I believe our options are either to add something to http://docs.mongodb.org/manual/reference/mongodb-extended-json/ to allow us to represent code objects in strict JSON format or to just output it as a string.

Generated at Thu Feb 08 03:24:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.