[SERVER-19672] Array functions in shell can cause stall Created: 30/Jul/15  Updated: 11/Sep/17  Resolved: 03/Aug/15

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 3.1.6
Fix Version/s: 3.1.7

Type: Bug Priority: Minor - P4
Reporter: J Delaney Assignee: J Delaney
Resolution: Done Votes: 0
Labels: dnsf
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-31038 DBCollection.prototype.createIndexes ... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Participants:

 Description   

In types.js there are a multiple helper functions added to Array that do not properly check that the array argument being passed to them is actually an array. This can lead to a stall in the shell if an object with property length set to a large number (or Infinity) is passed as an argument to one of these functions.

Affected functions:

  • Array.contains
  • Array.unique
  • Array.shuffle
  • Array.tojson
  • Array.fetchRefs
  • Array.sum
  • Array.stdDev

This is causing issues in jstestfuzz.



 Comments   
Comment by Kamran K. [ 03/Aug/15 ]

Here's an example of a backwards incompatibility, in case external code was relying on the buggy Array method implementations:

3.1.7:

> Array.shuffle({length: 1});
2015-08-03T11:59:33.141-0400 E QUERY    [thread1] Error: The first argument to Array.shuffle must be an array :
Array.shuffle@src/mongo/shell/types.js:147:1
@(shell):1:1

3.0.5:

> Array.shuffle({length: 1});
{ "length" : 1 }

Comment by Githook User [ 03/Aug/15 ]

Author:

{u'username': u'j-delaney', u'name': u'J Delaney', u'email': u'j.delaney@mongodb.com'}

Message: SERVER-19672 Check that arguments to Array util methods are arrays
Branch: master
https://github.com/mongodb/mongo/commit/97d4b72c6fc68419370620325813769003b5a70a

Generated at Thu Feb 08 03:51:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.