[SERVER-85849] Skip query settings application on internal collections Created: 29/Jan/24 Updated: 05/Feb/24 Resolved: 05/Feb/24 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 8.0.0-rc0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Catalin Sumanaru | Assignee: | James Harrison |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | M2 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Sprint: | QE 2024-02-05 |
| Participants: |
| Description |
|
Currently there are guards in place to prevent query settings from being applied on id hack queries, and queries containing encryption information. We should extend those guards to also include queries targeting internal collections to prevent potential unwanted edge-cases / attack vectors.
Since users will be able to set query settings via hash as well, we would need to add validation in two places:
Here we can just throw a user friendly message, stating that setting query settings on internal collections is forbidden
We will avoid performing query settings lookup, if query involves internal collections |
| Comments |
| Comment by Githook User [ 02/Feb/24 ] |
|
Author: {'name': 'James H', 'email': '00jamesh@gmail.com', 'username': 'jameseh96'}Message: GitOrigin-RevId: 4accd7430fccd57396b307d34923ed36433cfd7c |