<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:39:20 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[GODRIVER-2780] Potential File Inclusion Vulnerability in Logging</title>
                <link>https://jira.mongodb.org/browse/GODRIVER-2780</link>
                <project id="14289" key="GODRIVER">Go Driver</project>
                    <description>&lt;p&gt;A user can log to a file using the &quot;MONGODB_LOG_PATH&quot; which uses the &lt;a href=&quot;https://pkg.go.dev/os#OpenFile&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;os.OpenFile&lt;/a&gt; API, code &lt;a href=&quot;https://github.com/prestonvasquez/mongo-go-driver/blob/master/internal/logger/logger.go#L159&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;. The might be susceptible to a &lt;a href=&quot;https://securego.io/docs/rules/g304.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;G304&lt;/a&gt; vulnerability. I.e., &quot;an attacker who could change &lt;span class=&quot;error&quot;&gt;&amp;#91;the filepath variable&amp;#93;&lt;/span&gt; to hold unauthorised file paths from the system. In this way, it is possible to exfiltrate confidential information or such.&quot;&lt;/p&gt;

&lt;p&gt;There may not be a way to resolve this without hardcoding a &quot;safe path,&quot; which is not possible for this use case. Using the guidelines from the G304 link above, it might be good to at least use &lt;a href=&quot;https://pkg.go.dev/path/filepath#Clean&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;filepath.Clean&lt;/a&gt; to sanitize the MONGODB_LOG_PATH&quot; and, perhaps, ensure the output file have the &quot;.log&quot; extension.&lt;/p&gt;</description>
                <environment></environment>
        <key id="2292851">GODRIVER-2780</key>
            <summary>Potential File Inclusion Vulnerability in Logging</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="10300" iconUrl="https://jira.mongodb.org/images/icons/priorities/medium.svg">Unknown</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="5">Cannot Reproduce</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="preston.vasquez@mongodb.com">Preston Vasquez</reporter>
                        <labels>
                    </labels>
                <created>Mon, 20 Mar 2023 19:16:12 +0000</created>
                <updated>Mon, 27 Mar 2023 19:40:59 +0000</updated>
                            <resolved>Mon, 27 Mar 2023 19:40:59 +0000</resolved>
                                                                                        <votes>0</votes>
                                    <watches>1</watches>
                                                                                                                        <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_14266" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Documentation Changes Summary</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;1.  What would you like to communicate to the user about this feature?&lt;br/&gt;
2.  Would you like the user to see examples of the syntax and/or executable code and its output?&lt;br/&gt;
3.  Which versions of the driver/connector does this apply to?&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i1jbts:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>