[SERVER-8104] MapReduce on Sharded System Can Bypass Auth Checks Created: 07/Jan/13 Updated: 21/Nov/23 Resolved: 18/Jan/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 2.4.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Andy Schwerin | Assignee: | Ben Becker |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Major Change | ||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
The reducer and finalizer functions both provide access to the Mongo constructor, in a way that enabled a malicious user to write to arbitrary databases on the shard server (and perhaps to perform arbitrary operations). Coincidentally, the locking logic prevents this in the mapper, but it is not very futureproof. A proposed solution is to restrict map reduce functions, where functions, etc. to a much narrower scope of operations. I propose they be restricted to the following scope:
As opposed to today, where they have access to the following:
|
| Comments |
| Comment by auto [ 12/Mar/13 ] | ||||||||
|
Author: {u'date': u'2013-01-09T17:35:50Z', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | ||||||||
| Comment by auto [ 19/Jan/13 ] | ||||||||
|
Author: {u'date': u'2013-01-19T03:32:25Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}Message: | ||||||||
| Comment by auto [ 18/Jan/13 ] | ||||||||
|
Author: {u'date': u'2013-01-18T22:15:28Z', u'email': u'ben.becker@10gen.com', u'name': u'Ben Becker'}Message: | ||||||||
| Comment by Ben Becker [ 18/Jan/13 ] | ||||||||
|
CPU profiler is just a binding for v8's cpu profiler. It produce results in BSON format (hierarchical utilization). You have to pass it a known name to get the results of a given run. It's not a big deal to uncomment these lines when testing; just trying to make it easy for others. | ||||||||
| Comment by Andy Schwerin [ 18/Jan/13 ] | ||||||||
|
RE benchRun, restrict to shell. RE cpu profiler, I'd rather whitelist than blacklist, and I haven't really had a chance to assess the security implications. What is the V8 CPU profiler? | ||||||||
| Comment by Ben Becker [ 18/Jan/13 ] | ||||||||
|
One thing to note – I moved benchrun into the local/external setup routines so it's only accessible from db.eval() on the server side. The tests only pass when run from the client though – if you load bench_test2.js from db.eval(), it tries to connect to the hostname 'EMBEDDED'. Happy to restrict it strictly to the shell, if desired. | ||||||||
| Comment by Andy Schwerin [ 18/Jan/13 ] | ||||||||
|
benjamin.becker, the following must also be removed. You've already noted most, but I repeated them for completeness.
| ||||||||
| Comment by Andy Schwerin [ 17/Jan/13 ] | ||||||||
|
OK, actually beneficial, to remove Mongo object. Our tests rely on sleep() in where, so we should leave it for now. What are the implications of leaving jsMode in place? As part of this work, let's file a few follow on tickets:
We may need to file other tickets, but these seem like good ones to triage as potential 2.6 changes. | ||||||||
| Comment by Andy Schwerin [ 07/Jan/13 ] | ||||||||
|
Run the following to demonstrate the bug
The --nopreallocj is optional. |