[SERVER-75236] Disallow possibility for users to rename admin collections Created: 23/Mar/23 Updated: 13/Apr/23 Resolved: 13/Apr/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Pierlauro Sciarelli | Assignee: | Fausto Leyva (Inactive) |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Assigned Teams: |
Storage Execution
|
||||
| Operating System: | ALL | ||||
| Sprint: | Execution Team 2023-04-17 | ||||
| Participants: | |||||
| Linked BF Score: | 10 | ||||
| Description |
|
The validateNamespacesForRenameCollections function is called before a rename to validate the involved namespaces. A fuzzer test successful issued a rename on the admin database, meaning that users can potentially do that. We should disallow renames on the admin db in order to prevent renaming internal system collections. |
| Comments |
| Comment by Pierlauro Sciarelli [ 13/Apr/23 ] |
|
Thanks Fausto, |
| Comment by Fausto Leyva (Inactive) [ 13/Apr/23 ] |
|
validateNamespacesForRenameCollection() should not disallow updates to adminDB (that should be handled in the security auth layer). |