[SERVER-31203] Disable server-side execution of JavaScript code by default Created: 21/Sep/17  Updated: 06/Dec/22

Status: Open
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: features we're not sure of

Type: Improvement Priority: Major - P3
Reporter: Hannes Magnusson Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:

 Description   

The Security Checklist instructs users to Run MongoDB with Secure Configuration Options, such as disabling execution of JavaScript code for certain server-side operations: mapReduce, group, and $where..

Rather then instructing users to disable this feature for security reasons, we should be secure by default and force the user to enable this feature if they require it.

https://docs.mongodb.com/manual/reference/configuration-options/#security.javascriptEnabled

When disabled, you cannot use operations that perform server-side execution of JavaScript code, such as the $where query operator, mapReduce command and the db.collection.mapReduce() method, group command and the db.collection.group() method.

https://docs.mongodb.com/manual/core/server-side-javascript/

If you are using SELinux, any MongoDB operation that requires server-side JavaScript will result in segfault errors. Disable Server-Side Execution of JavaScript describes how to disable execution of server-side JavaScript.


Generated at Thu Feb 08 04:26:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.