[SERVER-5782] need a $literal operator to help prevent injection attacks Created: 08/May/12 Updated: 28/Oct/15 Resolved: 09/Aug/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Aggregation Framework |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.2 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Daniel Pasette (Inactive) | Assignee: | Matt Dannenberg |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||
| Description |
|
If an application constructs an aggregation pipeline using data obtained from the user, it is possible for that data to affect the result in unexpected ways. Here's a simple example using the mongo shell:
The author of the code probably meant for x to be the name of a user or a query parameter supplied by the application. But if the user arranges to supply a string value that begins with a '$', it will be interpreted as a field reference. For the example above, x = '$author' causes $eq to be true for every document (compare with x = 'dave'). To make it possible to construct such pipelines dynamically, we should provide a $literal operator whose value cannot be interpreted as a field reference. For example:
This can be used to safely construct pipelines w/o fear of a user injecting a value that could be interpreted as anything other than a literal. |
| Comments |
| Comment by Dwight Merriman [ 22/Sep/13 ] |
|
is $literal the best name for this? asking as it'll be around for decades, so we should be sure. it's reasonable but alternatives might be $quote or something. |
| Comment by auto [ 09/Aug/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 15/Jun/12 ] |
|
Author: {u'date': u'2012-06-11T09:28:21-07:00', u'email': u'dannenberg.matt@gmail.com', u'name': u'Matt Dannenberg'}Message: $literal returns a string rather than evaluating the string to prevent Signed-off-by: Siddharth Singh <singhsiddharth@gmail.com> |
| Comment by Gustavo Niemeyer [ 08/May/12 ] |
|
Thanks for working on this, Chris. |
| Comment by Chris Westin [ 08/May/12 ] |
|
This will subsume |