[SERVER-31203] Disable server-side execution of JavaScript code by default Created: 21/Sep/17 Updated: 06/Dec/22 |
|
| Status: | Open |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | features we're not sure of |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Hannes Magnusson | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Security
|
| Participants: |
| Description |
|
The Security Checklist instructs users to Run MongoDB with Secure Configuration Options, such as disabling execution of JavaScript code for certain server-side operations: mapReduce, group, and $where.. Rather then instructing users to disable this feature for security reasons, we should be secure by default and force the user to enable this feature if they require it. https://docs.mongodb.com/manual/reference/configuration-options/#security.javascriptEnabled
https://docs.mongodb.com/manual/core/server-side-javascript/
|