[SERVER-29014] Consider prohibiting explaining an explain Created: 28/Apr/17  Updated: 06/Dec/22  Resolved: 05/May/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Kyle Suarez Assignee: Backlog - Query Team (Inactive)
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-26703 Inserting deeply-nested documents sho... Closed
Assigned Teams:
Query
Participants:

 Description   

In CmdExplain::checkAuthForOperation(), we recursively check auth on the contained command. An unauthorized user could then attempt to run an explain on nested explains in an attempt to force the server to consume more resources.

The severity of this is minor because we're mostly saved by the BSON depth limit enforced in SERVER-26703.



 Comments   
Comment by Kyle Suarez [ 28/Apr/17 ]

CC spencer.jackson

Generated at Thu Feb 08 04:19:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.