[SERVER-27194] Views should require both "viewOn" and "pipeline" to be specified if modifying view when auth is enabled Created: 28/Nov/16  Updated: 05/Apr/17  Resolved: 06/Dec/16

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.4.0-rc5
Fix Version/s: 3.4.1, 3.5.1

Type: Bug Priority: Major - P3
Reporter: Kyle Suarez Assignee: Kyle Suarez
Resolution: Done Votes: 0
Labels: read-only-views
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-9473 Document behavior of views when auth ... Closed
Related
is related to SERVER-26765 Move views tests into jsCore Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Steps To Reproduce:

Launch mongod with --auth, then do

assert.commandWorked(db.createView("view", "collection", [{ $match: { team: "query" } }] ));
assert.commandWorked(db.runCommand( { collMod: "view", pipeline: [{ $sort: { team: -1 } }] } ));

Sprint: Query 2016-12-12
Participants:

 Description   

When auth is enabled, we should force users to specify both "viewOn" and "pipeline". This prevents users from reading sensitive information in the original "viewOn" by only changing "pipeline", or by exposing more information via lookup in the original "pipeline" by only changing "viewOn".

Original Description

In AuthorizationSession::checkAuthForCreateOrModifyView(), we construct a NamespaceString on the "viewOn" field of the command object, to make sure that the user has read privileges on that namespace. However, a user can validly collMod an existing view without specifying a new "viewOn". Because the authorization code always expects "viewOn" to be a field, this scenario causes an exception to be thrown.

The correct behavior would be to first check if cmdObj["viewOn"] exists; if it does not, simply skip the call to checkAuthForAggregate().



 Comments   
Comment by Githook User [ 06/Dec/16 ]

Author:

{u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}

Message: SERVER-27194 must specify both viewOn and pipeline if modifying view when auth enabled

(cherry picked from commit 7ce8f181b87685fbcf6cc93749334c85ce36554e)
Branch: v3.4
https://github.com/mongodb/mongo/commit/c891410987af3998f8caf2d6745a070b3ca428d8

Comment by Githook User [ 06/Dec/16 ]

Author:

{u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}

Message: SERVER-27194 must specify both viewOn and pipeline if modifying view when auth enabled
Branch: master
https://github.com/mongodb/mongo/commit/7ce8f181b87685fbcf6cc93749334c85ce36554e

Comment by Kyle Suarez [ 28/Nov/16 ]

An implication of this bug is that a user who has auth enabled cannot perform a collMod of a view that does not specify the "viewOn" field; for example, only changing the pipeline:

> db.createView("view", "collection", [{ $match: { team: "query" } }] );
> db.runCommand( { collMod: "view", pipeline: [{ $sort: { team: -1 } }] } );

Users not running with auth enabled aren't affected by this bug.

A workaround would be to always specify the "viewOn" field when issuing a collMod command.

Generated at Thu Feb 08 04:14:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.