[SERVER-5782] need a $literal operator to help prevent injection attacks Created: 08/May/12  Updated: 28/Oct/15  Resolved: 09/Aug/13

Status: Closed
Project: Core Server
Component/s: Aggregation Framework
Affects Version/s: None
Fix Version/s: 2.5.2

Type: New Feature Priority: Major - P3
Reporter: Daniel Pasette (Inactive) Assignee: Matt Dannenberg
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by CSHARP-792 support new aggregation pipeline oper... Closed
Duplicate
is duplicated by SERVER-5991 $project does not allow creation of a... Closed
is duplicated by SERVER-3864 aggregation: support stuttered $ syn... Closed
Related
is related to SERVER-3864 aggregation: support stuttered $ syn... Closed
is related to SERVER-10840 injection is too easy with agg framew... Backlog
is related to SERVER-3859 aggregation: if future updates use t... Closed
Participants:

 Description   

If an application constructs an aggregation pipeline using data obtained from the user, it is possible for that data to affect the result in unexpected ways. Here's a simple example using the mongo shell:

// projection includes a computed value
var x = "$author";
 
var i1 = db.runCommand(
{ aggregate : "article", pipeline : [
    { $project : {
        author : 1,
        daveWroteIt : { $eq:["$author", x] }
    }}
]});

The author of the code probably meant for x to be the name of a user or a query parameter supplied by the application. But if the user arranges to supply a string value that begins with a '$', it will be interpreted as a field reference. For the example above, x = '$author' causes $eq to be true for every document (compare with x = 'dave').

To make it possible to construct such pipelines dynamically, we should provide a $literal operator whose value cannot be interpreted as a field reference. For example:

var x = "$author";
 
var i2 = db.runCommand(
{ aggregate : "article", pipeline : [
    { $project : {
        author : 1,
        daveWroteIt : { $eq:["$author", { $literal: x } ] }
    }}
]});

This can be used to safely construct pipelines w/o fear of a user injecting a value that could be interpreted as anything other than a literal.



 Comments   
Comment by Dwight Merriman [ 22/Sep/13 ]

is $literal the best name for this? asking as it'll be around for decades, so we should be sure. it's reasonable but alternatives might be $quote or something.

Comment by auto [ 09/Aug/13 ]

Author:

{u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}

Message: SERVER-5782 $literal operator to help prevent injection attacks
Branch: master
https://github.com/mongodb/mongo/commit/cd81198d0280abc8144bd7fa291a15564c1c0ae4

Comment by auto [ 15/Jun/12 ]

Author:

{u'date': u'2012-06-11T09:28:21-07:00', u'email': u'dannenberg.matt@gmail.com', u'name': u'Matt Dannenberg'}

Message: SERVER-5782 add a $literal operator to aggregation

$literal returns a string rather than evaluating the string to prevent
injection attacks.

Signed-off-by: Siddharth Singh <singhsiddharth@gmail.com>
Branch: master
https://github.com/mongodb/mongo/commit/6edd4d75b3d661e8e447869cdb91931c4ae82f62

Comment by Gustavo Niemeyer [ 08/May/12 ]

Thanks for working on this, Chris.

Comment by Chris Westin [ 08/May/12 ]

This will subsume SERVER-3864.

Generated at Thu Feb 08 03:09:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.