[SERVER-6163] value in a $literal expression can trigger an expression parse assertion causing an aggregation to fail Created: 21/Jun/12  Updated: 19/May/14  Resolved: 12/Jul/12

Status: Closed
Project: Core Server
Component/s: Aggregation Framework
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Aaron Staple Assignee: Matt Dannenberg
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

Observed behavior: A $literal value may be parsed as a FieldPath, triggering an exception if it represents an invalid FieldPath. This will allow a $literal field supplied by a malicious user to cause an aggregation query to fail with an assertion.
Expected behavior: A $literal value is not parsed as an expression and is handled as a string literal.

c = db.c;
c.drop();
c.save( { prefix:'moon' } );
 
// This is a safe literal.
suffix = 'beam';
 
printjson( c.aggregate( { $project:{ word:{ $add:[ '$prefix', { $literal:suffix } ] } } } ) );
 
// This literal is parsed as a FieldPath with adjacent dots, which is not allowed.
suffix = '$hine..';
 
printjson( c.aggregate( { $project:{ word:{ $add:[ '$prefix', { $literal:suffix } ] } } } ) );



 Comments   
Comment by Matt Dannenberg [ 12/Jul/12 ]

SERVER-6425 removing $literal

Generated at Thu Feb 08 03:10:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.