<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:24:42 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DRIVERS-2092] Drivers Spec :  Specify object, collection, and database name validation rules</title>
                <link>https://jira.mongodb.org/browse/DRIVERS-2092</link>
                <project id="10980" key="DRIVERS">Drivers</project>
                    <description>&lt;p&gt;We need to clearly define what characters are allowed/disallowed in:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;top-level keys in documents&lt;/li&gt;
	&lt;li&gt;keys in sub documents&lt;/li&gt;
	&lt;li&gt;database names&lt;/li&gt;
	&lt;li&gt;collection names&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;and make sure MongoDB drivers and shell enforce these rules.&lt;/p&gt;

&lt;p&gt;For reference, here&apos;s the server documentation on naming restrictions for database and collection names: &lt;a href=&quot;https://docs.mongodb.com/manual/reference/limits/#naming-restrictions&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.mongodb.com/manual/reference/limits/#naming-restrictions&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="294152">DRIVERS-2092</key>
            <summary>Drivers Spec :  Specify object, collection, and database name validation rules</summary>
                <type id="14901" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14700&amp;avatarType=issuetype">Spec Change</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="2">Won&apos;t Fix</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="rathi.gnanasekaran">Rathi Gnanasekaran</reporter>
                        <labels>
                    </labels>
                <created>Wed, 15 Jun 2016 17:29:07 +0000</created>
                <updated>Mon, 25 Jul 2022 16:36:09 +0000</updated>
                            <resolved>Mon, 25 Jul 2022 16:36:09 +0000</resolved>
                                                                            <votes>0</votes>
                                    <watches>8</watches>
                                                                                                                <comments>
                            <comment id="1606688" author="jmikola@gmail.com" created="Mon, 26 Jun 2017 16:52:13 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=rathi.gnanasekaran&quot; class=&quot;user-hover&quot; rel=&quot;rathi.gnanasekaran&quot;&gt;rathi.gnanasekaran&lt;/a&gt;: Why is this linked to the CRUD spec component? IIRC, this began as a ticket to enforce names for collections and databases, which would affect driver methods for selecting those objects. Somewhere down the line, document validation was added to the issue description.&lt;/p&gt;

&lt;p&gt;IMO, collection and database name validation would be a separate spec (it doesn&apos;t come up at all in the &lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/crud/crud.rst&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;CRUD spec&lt;/a&gt;). Validating field names for documents can rightly fall under the CRUD spec.&lt;/p&gt;

&lt;p&gt;I&apos;d suggest splitting this into two issues. If you want to create a separate spec ticket for collection/database name validation, we can leave this categorized as CRUD spec and then modify the title/description to only refer to document field validation.&lt;/p&gt;</comment>
                            <comment id="1420621" author="jeff.yemin" created="Fri, 28 Oct 2016 16:05:18 +0000"  >&lt;p&gt;Lack of database name validation causes a couple of tough-to-diagnose issues.&lt;/p&gt;

&lt;p&gt;A database name that&apos;s the empty string, combined with a collection name with a dot in it, like &quot;a.b&quot;, will result in the namespace &quot;a.b&quot;   This will be encoded as the namespace &quot;a.b&quot; in OP_QUERY, which the server will interpret as database of &quot;a&quot; and collection of &quot;b&quot;.  Not what the user intended.&lt;/p&gt;

&lt;p&gt;Similarly, a database name with a dot in it, like &quot;a.b&quot;, combined with a collection name like &quot;c&quot; will result in the namespace &quot;a.b.c&quot;.  This will be encoded as the namespace &quot;a.b.c&quot; in OP_QUERY, which the server will interpret as database of &quot;a&quot; and collection of &quot;b.c&quot;.  Also not what the user intended.&lt;/p&gt;</comment>
                            <comment id="1298337" author="christkv" created="Fri, 17 Jun 2016 19:16:05 +0000"  >&lt;p&gt;That sounds like what the node driver does now. However I read this ticket as requiring even stricter validation. If it does not then we should clarify it.&lt;/p&gt;</comment>
                            <comment id="1298271" author="behackett" created="Fri, 17 Jun 2016 18:39:08 +0000"  >&lt;p&gt;Python does the exact same key checking for replace, but skips checking keys for update (you can&apos;t check keys for update). Remove is irrelevant. Aggregation $out is a server issue, similar to mapReduce $out.&lt;/p&gt;</comment>
                            <comment id="1298138" author="christkv" created="Fri, 17 Jun 2016 17:40:32 +0000"  >&lt;p&gt;Yeah most drivers do this for insert documents on serialization today. However it&apos;s not as trivial on update, remove and aggregations.&lt;/p&gt;

&lt;p&gt;Before adding additional latency to the drivers I think it&apos;s not unreasonable to ask for a pro/con assessment and to talk to Andreas.&lt;/p&gt;</comment>
                            <comment id="1298083" author="behackett" created="Fri, 17 Jun 2016 17:02:12 +0000"  >&lt;p&gt;It shouldn&apos;t be a huge performance hit. PyMongo has been checking keys for forever. When we encode a key to cstring we check if it starts with &quot;$&quot; or includes &quot;.&quot;.&lt;/p&gt;</comment>
                            <comment id="1297622" author="christkv" created="Fri, 17 Jun 2016 09:09:51 +0000"  >&lt;p&gt;Couple of things&lt;/p&gt;

&lt;p&gt;The server is holding based on perf evaluation. I do not think we should have any lower standard than them on it. Taking a huge performance hit is not really an acceptable situation for most of our users.&lt;/p&gt;

&lt;p&gt;Now If we need to do this for security reasons we need to be told to do so by our security team. We also need to do a POC and bench to see the real cost of doing this.&lt;/p&gt;

&lt;p&gt;Before mandating a drastic change like this I would like all pro/cons laid out so any decision is a fully informed decision.&lt;/p&gt;

&lt;p&gt;I do think we should validate collections and database names however as those are close to zero cost. It&apos;s traversal that is expensive.&lt;/p&gt;</comment>
                            <comment id="1297466" author="behackett" created="Fri, 17 Jun 2016 02:35:35 +0000"  >&lt;p&gt;We have to enforce this at the driver level. Even if the server starts throwing errors, we still have w:0 to think about. That option isn&apos;t going away anytime soon. This is a painful situation to get yourself into.&lt;/p&gt;</comment>
                            <comment id="1296918" author="david.golden" created="Thu, 16 Jun 2016 18:17:04 +0000"  >&lt;p&gt;[Copied from &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-308&quot; title=&quot;BSON Key Validation in Drivers&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-308&quot;&gt;&lt;del&gt;DRIVERS-308&lt;/del&gt;&lt;/a&gt;]:&lt;/p&gt;

&lt;p&gt;Some of the cases I can think of:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Insert/replace documents &#8211; can&apos;t have dotted keys; can&apos;t have $ prefixed keys (except for documents with $ref + $id and optionally $db and other fields)&lt;/li&gt;
	&lt;li&gt;Query filters &#8211; can have dotted keys and maybe can have $ prefixed keys (OP_QUERY vs find command, or maybe searching on $ref/$id?)&lt;/li&gt;
	&lt;li&gt;Update documents &#8211; can have $ keys for update operators; can have dotted keys for fields within update operators; can&apos;t have $ keys for field names in a $set update&lt;/li&gt;
&lt;/ul&gt;
</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="183217">JAVA-1644</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="320467">SERVER-26431</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="656210">PYTHON-1708</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                            <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10257" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Documentation Changes</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="11861"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10951" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Driver Changes</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10940"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsmj3j:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>