[SERVER-8104] MapReduce on Sharded System Can Bypass Auth Checks Created: 07/Jan/13  Updated: 21/Nov/23  Resolved: 18/Jan/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.4.0-rc0

Type: Bug Priority: Major - P3
Reporter: Andy Schwerin Assignee: Ben Becker
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File authmr.js    
Issue Links:
Duplicate
duplicates SERVER-3130 m/r map/reduce functions should not a... Closed
Related
related to SERVER-9249 db object no longer available to mapper Closed
related to SERVER-9369 my join workaround has different beha... Closed
Backwards Compatibility: Major Change
Operating System: ALL
Participants:

 Description   

The reducer and finalizer functions both provide access to the Mongo constructor, in a way that enabled a malicious user to write to arbitrary databases on the shard server (and perhaps to perform arbitrary operations).

Coincidentally, the locking logic prevents this in the mapper, but it is not very futureproof.

A proposed solution is to restrict map reduce functions, where functions, etc. to a much narrower scope of operations.

I propose they be restricted to the following scope:

BinData
DBRef
Geo
HexData
ISODate
MD5
MaxKey
MinKey
NumberInt
NumberLong
ObjectId
Random
Timestamp
UUID
argumentsToArray
assert
compare ??
compareOn ??
doassert
emit
friendlyEqual
gc
hex_md5
isNumber
isObject
isString
print
printjson
printjsononeline
sleep ??
tojson
tojsonObject
tojsononeline
verify
version

As opposed to today, where they have access to the following:

print
version
load
gc
DB
DBCollection
DBQuery
ObjectId
DBRef
DBPointer
BinData
UUID
MD5
HexData
NumberLong
NumberInt
Timestamp
MaxKey
MinKey
hex_md5
sleep
benchRun
benchRunSync
benchStart
benchFinish
Mongo
_jsTestOptions
__quiet
__magicNoPrint
__callLastError
_verboseShell
chatty
friendlyEqual
printStackTrace
setVerboseShell
doassert
assert
verify
argumentsToArray
isString
isNumber
isObject
_barFormat
ISODate
compare
compareOn
tojsononeline
tojson
tojsonObject
shellPrint
printjson
printjsononeline
TestData
jsTestName
jsTestFile
jsTestPath
jsTestOptions
setJsTestOption
jsTestLog
jsTest
replSetMemberStatePrompt
shellPrintHelper
shellAutocomplete
shellHelper
Map
Random
Geo
rs
help
__lastres__
sh
connect
MR
MapReduceResult
_mongo
db
_funcs1
_funcs2
_map
_funcs3
_reduce
_funcs4
_finalize
_doFinal
emit
args
_emitCt
_keyCt
_dupCt
_redCt
_mrMap
_funcs5
_funcs6
_funcs7
_funcs8
return
____db____



 Comments   
Comment by auto [ 12/Mar/13 ]

Author:

{u'date': u'2013-01-09T17:35:50Z', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-8104 regression tests.
Branch: master
https://github.com/mongodb/mongo/commit/56e754ab2121fb0a8055425875281dc0b2c67bdf

Comment by auto [ 19/Jan/13 ]

Author:

{u'date': u'2013-01-19T03:32:25Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-5228 SERVER-8104 fix unit test as access in reduce function is restricted again
Branch: master
https://github.com/mongodb/mongo/commit/d10e66f541958c076dbd4cc5be3a806dba23d31a

Comment by auto [ 18/Jan/13 ]

Author:

{u'date': u'2013-01-18T22:15:28Z', u'email': u'ben.becker@10gen.com', u'name': u'Ben Becker'}

Message: SERVER-8104: clean up js global object
Branch: master
https://github.com/mongodb/mongo/commit/41c1110326ae00fc7fb279b3bfeabadc3a82bc5a

Comment by Ben Becker [ 18/Jan/13 ]

CPU profiler is just a binding for v8's cpu profiler. It produce results in BSON format (hierarchical utilization). You have to pass it a known name to get the results of a given run.

It's not a big deal to uncomment these lines when testing; just trying to make it easy for others.

Comment by Andy Schwerin [ 18/Jan/13 ]

RE benchRun, restrict to shell.

RE cpu profiler, I'd rather whitelist than blacklist, and I haven't really had a chance to assess the security implications. What is the V8 CPU profiler?

Comment by Ben Becker [ 18/Jan/13 ]

One thing to note – I moved benchrun into the local/external setup routines so it's only accessible from db.eval() on the server side. The tests only pass when run from the client though – if you load bench_test2.js from db.eval(), it tries to connect to the hostname 'EMBEDDED'. Happy to restrict it strictly to the shell, if desired.

Comment by Andy Schwerin [ 18/Jan/13 ]

benjamin.becker, the following must also be removed. You've already noted most, but I repeated them for completeness.

    load
    startCpuProfiler
    stopCpuProfiler
    getCpuProfile
    benchRun
    benchRunSync
    benchStart
    benchFinish

Comment by Andy Schwerin [ 17/Jan/13 ]

OK, actually beneficial, to remove Mongo object. Our tests rely on sleep() in where, so we should leave it for now.

What are the implications of leaving jsMode in place?

As part of this work, let's file a few follow on tickets:

  • Remove sleep() from js scopes when database is not running in test mode (there's a startup setParameter to enable a bunch of testing-only features, already).
  • Change V8 bindings to not expose magic/helper bindings like _funcsN to the global scope.
  • Eliminate the _* bindings as requirements for MapReduce, so it only needs MR and emit (maybe just emit?)

We may need to file other tickets, but these seem like good ones to triage as potential 2.6 changes.

Comment by Andy Schwerin [ 07/Jan/13 ]

Run the following to demonstrate the bug

buildscripts/smoke.py --nopreallocj authmr.js 

The --nopreallocj is optional.

Generated at Thu Feb 08 03:16:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.