[SERVER-85849] Skip query settings application on internal collections Created: 29/Jan/24  Updated: 05/Feb/24  Resolved: 05/Feb/24

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 8.0.0-rc0

Type: Task Priority: Major - P3
Reporter: Catalin Sumanaru Assignee: James Harrison
Resolution: Fixed Votes: 0
Labels: M2
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Sprint: QE 2024-02-05
Participants:

 Description   

Currently there are guards in place to prevent query settings from being applied on id hack queries, and queries containing encryption information. We should extend those guards to also include queries targeting internal collections to prevent potential unwanted edge-cases / attack vectors. 

 

Since users will be able to set query settings via hash as well, we would need to add validation in two places:

  • query settings being set via query

Here we can just throw a user friendly message, stating that setting query settings on internal collections is forbidden

  • query settings lookup

We will avoid performing query settings lookup, if query involves internal collections



 Comments   
Comment by Githook User [ 02/Feb/24 ]

Author:

{'name': 'James H', 'email': '00jamesh@gmail.com', 'username': 'jameseh96'}

Message: SERVER-85849: Skip query settings application on internal collections (#18596)

GitOrigin-RevId: 4accd7430fccd57396b307d34923ed36433cfd7c
Branch: master
https://github.com/mongodb/mongo/commit/a4604f30ba8182179dbdff5f153ba0da5e87c3c6

Generated at Thu Feb 08 06:58:46 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.