<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:16:24 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-2814] No simple way to validate a BSON document without crashing</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-2814</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;If I call bson_validate() with a document with more than 500 levels of nesting, it crashes.&lt;/p&gt;

&lt;p&gt;I had created a separate bug for insert (&lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2701&quot; title=&quot;Add example of validating BSON nesting depth with bson_visitor_t&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2701&quot;&gt;&lt;del&gt;CDRIVER-2701&lt;/del&gt;&lt;/a&gt;) and the workaround suggested was too complicated and not very efficient. It seems strange to me that we need to validate the document before calling the validate function( whose job it is to say whether the document is valid or not) just to prevent it from crashing. &lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;So in effect, bson_validate() only works on already validated documents. &lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;I think this is a serious issue which needs to be fixed. I understand that there are inconsistencies in what MongoDB server does and what Extended JSON Spec says. But I think using the maximum depth of 180 like MongoDB server does is much better than letting it crash or requiring users to validate the document before calling bson_validate(). I don&apos;t think the change will make what the Extended JSON Spec any more untrue than what it is today.&lt;/p&gt;</description>
                <environment>Windows 10</environment>
        <key id="599616">CDRIVER-2814</key>
            <summary>No simple way to validate a BSON document without crashing</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="2">Won&apos;t Fix</resolution>
                                        <assignee username="kevin.albertson@mongodb.com">Kevin Albertson</assignee>
                                    <reporter username="bhargavabhat@gmail.com">Bh Sr</reporter>
                        <labels>
                    </labels>
                <created>Wed, 5 Sep 2018 09:18:22 +0000</created>
                <updated>Thu, 6 Apr 2023 16:29:03 +0000</updated>
                            <resolved>Thu, 6 Sep 2018 18:41:22 +0000</resolved>
                                    <version>1.12.0</version>
                                                    <component>libmongoc</component>
                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="2032991" author="viaus" created="Mon, 15 Oct 2018 16:39:51 +0000"  >&lt;p&gt;@Kevin Albertson&lt;/p&gt;

&lt;p&gt;I find your attitude rather strange. What you say is: &quot;since you can write your own code to do X, we are not going to fix Y in libbson&quot;. Given that BSON is an open specification of what a bunch of bytes in a region of memory means, and libbson is just a convenience you provide to deal with that, I can ALWAYS write my code to do X no matter what Y is. So you have an excellent excuse for never fixing any issues your libbson has, because hey, the user can just massage those bytes, that&apos;s not rocket science!&lt;/p&gt;

&lt;p&gt;Fact is, your documentation states &lt;a href=&quot;http://mongoc.org/libbson/current/parsing.html#validating-a-bson-document:&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://mongoc.org/libbson/current/parsing.html#validating-a-bson-document:&lt;/a&gt; If all you want to do is validate that a BSON document is valid, you can use&#160;&lt;a href=&quot;http://mongoc.org/libbson/current/bson_validate.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;bson_validate()&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;But doing so, as explained, can crash my application, possibly creating an exploitable security vulnerability. And if I start pre-validating BSON documents for this particular issue, how do I know there is no other issue I need to pre-validate for, and how can I make sure my code actually works correctly and is not a security hole in itself? And what if I am a user who does not watch your bug list and is blissfully unaware of the need to pre-validate BSON inputs to begin with?&lt;/p&gt;

&lt;p&gt;Dismissing this bug &quot;since you can accomplish this using bson_visitor_t&quot; would be a very irresponsible act by libbson&apos;s maintainers.&lt;/p&gt;</comment>
                            <comment id="1995556" author="kevin.albertson" created="Thu, 6 Sep 2018 18:41:22 +0000"  >&lt;p&gt;Hi Bhargava,&lt;/p&gt;

&lt;p&gt;Although it is an additional check, since you can accomplish this using bson_visitor_t we won&apos;t be changing bson_validate. Thanks for your understanding.&lt;/p&gt;</comment>
                            <comment id="1993536" author="bhargavabhat@gmail.com" created="Wed, 5 Sep 2018 10:07:07 +0000"  >&lt;p&gt;To be clear, it&apos;s fine if bson_validate() uses Extended JSON Spec&apos;s limit as well. I just think that the library should provide an API to check whether a BSON document is &quot;valid&quot; and is something that the rest of the BSON API can handle.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="560117">CDRIVER-2701</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|htxnj3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>