<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 07:38:26 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DOCS-328] A (malicious) JS script can set EDITOR to an unsafe value</title>
                <link>https://jira.mongodb.org/browse/DOCS-328</link>
                <project id="10380" key="DOCS">Documentation</project>
                    <description>&lt;p&gt;Running a JS script with &lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;mongo --shell &amp;lt;malicious_script.js&amp;gt;&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt; can set the &lt;b&gt;EDITOR&lt;/b&gt; variable which is used to launch an editor via the &lt;b&gt;edit&lt;/b&gt; command. Because &lt;b&gt;edit&lt;/b&gt; just forks off a process with the command string of &quot;&lt;b&gt;&amp;lt;EDITOR value&amp;gt; &amp;lt;temp filename&amp;gt;&lt;/b&gt;&quot; if the &lt;b&gt;EDITOR&lt;/b&gt; is set to, say, &lt;b&gt;rm -rf ~/&lt;/b&gt;, bad things can happen.&lt;/p&gt;

&lt;p&gt;Programs that make use of the &lt;b&gt;EDITOR&lt;/b&gt; environment variable all operate the same way (and by that I mean, they don&apos;t check to see if the value is actually an editor...because well they can&apos;t really). I propose clearly documenting mongo is no different in this regard and to warn users to be careful that scripts they run in the shell can modify the &lt;b&gt;EDITOR&lt;/b&gt; variable.&lt;/p&gt;

&lt;p&gt;Another possibility is clearing out the &lt;b&gt;EDITOR&lt;/b&gt; JS variable after any script is run.&lt;/p&gt;</description>
                <environment>Linux</environment>
        <key id="43552">DOCS-328</key>
            <summary>A (malicious) JS script can set EDITOR to an unsafe value</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="5" iconUrl="https://jira.mongodb.org/images/icons/priorities/trivial.svg">Trivial - P5</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="mark">Mark porter</assignee>
                                    <reporter username="daniel.gottlieb@mongodb.com">Daniel Gottlieb</reporter>
                        <labels>
                    </labels>
                <created>Fri, 6 Jul 2012 15:57:02 +0000</created>
                <updated>Mon, 30 Oct 2023 22:41:21 +0000</updated>
                            <resolved>Thu, 13 Sep 2012 12:04:16 +0000</resolved>
                                                    <fixVersion>Server_Docs_20231030</fixVersion>
                                    <component>Server</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="163881" author="mark" created="Thu, 13 Sep 2012 12:04:16 +0000"  >&lt;p&gt;Working as designed.&lt;/p&gt;</comment>
                            <comment id="163858" author="mark" created="Thu, 13 Sep 2012 10:49:33 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=samk&quot; class=&quot;user-hover&quot; rel=&quot;samk&quot;&gt;samk&lt;/a&gt; Just wondering are you proposing that this statement is included in &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-79&quot; title=&quot;Document Security and Authentication&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-79&quot;&gt;&lt;del&gt;DOCS-79&lt;/del&gt;&lt;/a&gt;? I think that this is working as designed and its mention in documentation will add confusion. I thought the understanding of the danger of having a malicious javascript called by &apos;eval&apos; would have been a given.&lt;/p&gt;</comment>
                            <comment id="140683" author="daniel.gottlieb@10gen.com" created="Sun, 8 Jul 2012 20:44:23 +0000"  >&lt;p&gt;I didn&apos;t call it a bug! I was really just proposing one sentence of documentation that reinforces mongo shell scripts are no more secure than other scripts a developer may run. Maybe scripts potentially being malicious is as common knowledge as we hope it should be, but I&apos;m not sure if people make the connection that mongo/javascript can invoke shell commands like any other language. The &lt;b&gt;EDITOR&lt;/b&gt; variable being yet another (albeit circuitous) avenue of exploitation. I&apos;m not proposing a redesign of the actual function.&lt;/p&gt;</comment>
                            <comment id="140674" author="schwerin" created="Sun, 8 Jul 2012 19:17:40 +0000"  >&lt;p&gt;I&apos;m pretty sure this isn&apos;t a security bug.  I don&apos;t see how it&apos;s different from letting a user execute a mongo shell program that forks a &quot;rm -rf&quot; subprocess, or for that matter, running a python or shell script that runs the equivalent of rm -rf.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="22020">SERVER-3787</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="24999">DOCS-79</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Sun, 8 Jul 2012 19:17:40 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        11 years, 22 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>emet.ozar@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            11 years, 22 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>schwerin@mongodb.com</customfieldvalue>
            <customfieldvalue>daniel.gottlieb@mongodb.com</customfieldvalue>
            <customfieldvalue>mark</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrsep3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrhn0n:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>16538</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrzg0v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>