<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:21:33 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-4658] Replace operations may inadvertently execute update pipelines </title>
                <link>https://jira.mongodb.org/browse/CDRIVER-4658</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;h4&gt;&lt;a name=&quot;Summary&quot;&gt;&lt;/a&gt;Summary&lt;/h4&gt;

&lt;p&gt;I discovered this while investigating a similar issue in &lt;a href=&quot;https://jira.mongodb.org/browse/PHPLIB-1129&quot; title=&quot;Replace operations may inadvertently execute pipeline updates&quot; class=&quot;issue-link&quot; data-issue-key=&quot;PHPLIB-1129&quot;&gt;&lt;del&gt;PHPLIB-1129&lt;/del&gt;&lt;/a&gt;, some of which is dependent on libmongoc (&lt;tt&gt;update&lt;/tt&gt; operations) and not (&lt;tt&gt;findAndModify&lt;/tt&gt;, which is entirely in PHPLIB).&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3063&quot; title=&quot;Add the ability to specify a pipeline to an update command&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3063&quot;&gt;&lt;del&gt;CDRIVER-3063&lt;/del&gt;&lt;/a&gt; implemented support for update pipelines. Since documents and arrays are both represented as&#160;&lt;tt&gt;bson_t&lt;/tt&gt;&#160;structs, libmongoc relies on&#160;&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/1.23.5/src/libmongoc/src/mongoc/mongoc-util.c#L616&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;_mongoc_document_is_pipeline&lt;/a&gt;&#160;to infer whether something looks like a pipeline or not.Interestingly, this is only used for validating a parameter for update (e.g. updateOne, updateMany), and isn&apos;t used for replacement validation. In other words, update/replacement parameters are not mutually exclusive and it would seem that something resembling a pipeline&#160;&lt;em&gt;could&lt;/em&gt;&#160;be used as a valid replacement argument.&lt;/p&gt;

&lt;p&gt;Furthermore, when libmongoc appends the update/replacement/pipeline parameter on the wire, it decides to use a BSON array or document type based on&#160;&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/1.23.5/src/libmongoc/src/mongoc/mongoc-util.c#L616&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;_mongoc_document_is_pipeline&lt;/a&gt;&#160;(see:&#160;&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/1.23.5/src/libmongoc/src/mongoc/mongoc-write-command.c#L123&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;_mongoc_write_command_update_append&lt;/a&gt;). This makes it possible for a replace operation to inadvertently execute an update pipeline, as demonstrated in &lt;a href=&quot;https://github.com/kevinAlbs/c-bootstrap/blob/master/investigations/PHPLIB-1129/main.c&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;kevinAlbs/c-bootstrap&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The&#160;&lt;tt&gt;findAndModify&lt;/tt&gt;&#160;helper does something similar in&#160;&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/1.23.5/src/libmongoc/src/mongoc/mongoc-collection.c#L3449&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;mongoc_collection_find_and_modify_with_opts&lt;/a&gt;, but it&apos;s seemingly less of a problem there since libmongoc doesn&apos;t implement the CRUD API &amp;#8211; so there&apos;s no notion of&#160;&lt;tt&gt;findOneAndUpdate&lt;/tt&gt;&#160;or&#160;&lt;tt&gt;findOneAndReplace&lt;/tt&gt;.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Environment&quot;&gt;&lt;/a&gt;Environment&lt;/h4&gt;

&lt;p&gt;libmongoc 1.23.5, although reproducible in versions since 1.15 (when &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3063&quot; title=&quot;Add the ability to specify a pipeline to an update command&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3063&quot;&gt;&lt;del&gt;CDRIVER-3063&lt;/del&gt;&lt;/a&gt; was implemented).&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;HowtoReproduce&quot;&gt;&lt;/a&gt;How to Reproduce&lt;/h4&gt;

&lt;p&gt;See: &lt;a href=&quot;https://github.com/kevinAlbs/c-bootstrap/blob/master/investigations/PHPLIB-1129/main.c&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/kevinAlbs/c-bootstrap/blob/master/investigations/PHPLIB-1129/main.c&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="2362672">CDRIVER-4658</key>
            <summary>Replace operations may inadvertently execute update pipelines </summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="10038" iconUrl="https://jira.mongodb.org/images/icons/subtask.gif" description="">Backlog</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="jmikola@mongodb.com">Jeremy Mikola</reporter>
                        <labels>
                    </labels>
                <created>Thu, 8 Jun 2023 16:20:15 +0000</created>
                <updated>Mon, 12 Jun 2023 19:13:26 +0000</updated>
                                            <version>1.15.0</version>
                                                    <component>CRUD</component>
                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                    <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="2334790">PHPLIB-1129</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="727618">CDRIVER-3063</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i1v4zk:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>