<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:06:05 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-4471] [SECURITY] MapReduce able to overwrite any collection in any db regardless of authentication</title>
                <link>https://jira.mongodb.org/browse/SERVER-4471</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;use admin;&lt;br/&gt;
db.addUser(&quot;admin&quot;, &quot;strongpasswd&quot;);&lt;br/&gt;
db.importantCollection.insert(importantData);&lt;/p&gt;

&lt;p&gt;use test;&lt;br/&gt;
db.addUser(&quot;testUser&quot;, &quot;passwd&quot;);&lt;/p&gt;

&lt;p&gt;restart mongo with authentication.&lt;/p&gt;

&lt;p&gt;Now, with the next snippet you can wipe the admin db&apos;s importantCollection:&lt;br/&gt;
use test;&lt;br/&gt;
db.auth(&quot;testUser&quot;, &quot;passwd&quot;);&lt;br/&gt;
db.test.insert(&lt;/p&gt;
{foo: &quot;bar&quot;}
&lt;p&gt;);&lt;br/&gt;
db.runCommand({&lt;br/&gt;
    mapreduce: &quot;test&quot;, &lt;br/&gt;
    map : function Map() {&lt;br/&gt;
      emit(this._id, {});&lt;br/&gt;
    },&lt;br/&gt;
    reduce : function Reduce(key, values) &lt;/p&gt;
{	
      return values[0];
    }
&lt;p&gt;,&lt;br/&gt;
    out : &lt;/p&gt;
{ replace: &quot;importantCollection&quot;, db: &quot;admin&quot; }
&lt;p&gt;,&lt;br/&gt;
  });&lt;/p&gt;

&lt;p&gt;In short: you run a M/R on a collection that you have access, but the output is an other db&apos;s collection that you have no rights to read or write.&lt;/p&gt;</description>
                <environment></environment>
        <key id="26389">SERVER-4471</key>
            <summary>[SECURITY] MapReduce able to overwrite any collection in any db regardless of authentication</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="antoine">Antoine Girbal</assignee>
                                    <reporter username="benedicht">Gy&#246;rgy Nagy</reporter>
                        <labels>
                    </labels>
                <created>Sun, 11 Dec 2011 16:25:43 +0000</created>
                <updated>Mon, 11 Jul 2016 18:34:32 +0000</updated>
                            <resolved>Thu, 22 Dec 2011 22:34:28 +0000</resolved>
                                    <version>2.0.1</version>
                                    <fixVersion>2.1.0</fixVersion>
                                    <component>MapReduce</component>
                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="75572" author="antoine" created="Thu, 22 Dec 2011 22:34:28 +0000"  >&lt;p&gt;was already fixed, added test&lt;/p&gt;</comment>
                            <comment id="75570" author="auto" created="Thu, 22 Dec 2011 22:31:42 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;login&apos;: u&apos;agirbal&apos;, u&apos;name&apos;: u&apos;agirbal&apos;, u&apos;email&apos;: u&apos;antoine@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-4471&quot; title=&quot;[SECURITY] MapReduce able to overwrite any collection in any db regardless of authentication&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-4471&quot;&gt;&lt;del&gt;SERVER-4471&lt;/del&gt;&lt;/a&gt;: added test&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/dbcbb1463d9fa951d2d13bd3346dd9d2d95dc9e2&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/dbcbb1463d9fa951d2d13bd3346dd9d2d95dc9e2&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="75564" author="antoine" created="Thu, 22 Dec 2011 21:50:07 +0000"  >&lt;p&gt;thanks for the example.&lt;br/&gt;
I was incorrect with my previous test: with 2.0.1 I can get MR to overwrite a collection in admin.&lt;br/&gt;
But with current master branch, an exception is correctly raised.&lt;br/&gt;
I will add a test for it, and we may need to identify commit and backport to 2.0.&lt;/p&gt;

&lt;p&gt;com.mongodb.CommandResult$CommandFailure: command failed [command failed &lt;span class=&quot;error&quot;&gt;&amp;#91;mapreduce&amp;#93;&lt;/span&gt; &lt;/p&gt;
{ &quot;serverUsed&quot; : &quot;localhost:27017&quot; , &quot;errmsg&quot; : &quot;exception: unauthorized db:admin lock type:1 client:127.0.0.1&quot; , &quot;code&quot; : 10057 , &quot;ok&quot; : 0.0}
&lt;p&gt;	at com.mongodb.CommandResult.getException(CommandResult.java:75)&lt;br/&gt;
	at com.mongodb.CommandResult.throwOnError(CommandResult.java:121)&lt;br/&gt;
	at org.mongo.jmongob.CollectionPanel$3.doRun(CollectionPanel.java:345)&lt;br/&gt;
	at org.mongo.jmongob.DbJob$1.doInBackground(DbJob.java:62)&lt;br/&gt;
	at javax.swing.SwingWorker$1.call(SwingWorker.java:291)&lt;br/&gt;
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)&lt;br/&gt;
	at java.util.concurrent.FutureTask.run(FutureTask.java:166)&lt;br/&gt;
	at javax.swing.SwingWorker.run(SwingWorker.java:330)&lt;br/&gt;
	at com.edgytech.swingfast.ScalableThreadPool$ScalableThreadpoolWorker.run(ScalableThreadPool.java:48)&lt;br/&gt;
	at java.lang.Thread.run(Thread.java:679)&lt;/p&gt;
</comment>
                            <comment id="74206" author="benedicht" created="Sun, 18 Dec 2011 07:16:17 +0000"  >&lt;p&gt;Attaching my working example. I have a server that has 3 db: admin, stats and tuner_db. All db has a user and authentication is turned on.&lt;br/&gt;
&apos;tuner_db&apos; stores the raw data, and the script do various M/Rs to collects statistics that goes to the &apos;stats&apos; db.&lt;br/&gt;
In the script there is an out_db variable that by default is &apos;stats&apos;, but if i change it(as in the uploaded file) to &apos;admin&apos; it works too, and without any authentication the final collections will be stored in the &apos;admin&apos; db.&lt;br/&gt;
I run the script with mongo: &apos;mongo serveraddress:27017/tuner_db StatMaker.js&apos;.&lt;/p&gt;

&lt;p&gt;I hope this will be a better example than the previos one.&lt;/p&gt;</comment>
                            <comment id="74153" author="antoine" created="Sat, 17 Dec 2011 19:34:03 +0000"  >&lt;p&gt;I cannot reproduce this with either 2.0.1 or master.&lt;br/&gt;
Are you positive that you were not still authenticated to the admin db?&lt;br/&gt;
If you only restart the server but not the client, the client still remembers your auth and with reauth on new connections.&lt;/p&gt;

&lt;p&gt;command:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;test.test / M/R: { &quot;mapreduce&quot; : &quot;test&quot; , &quot;map&quot; : &quot;function() {\n  emit(this._id, 1);\n}&quot; , &quot;reduce&quot; : &quot;function(k,vals) {\n     var total=0;\n     vals.forEach(function(i) {\ntotal = myadd(total, i);\n     });\n\n     return total;\n}&quot; , &quot;verbose&quot; : true , &quot;out&quot; : { &quot;replace&quot; : &quot;mrtest4&quot; , &quot;db&quot; : &quot;admin&quot;}}&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;With 2.0.1:&lt;/p&gt;

&lt;p&gt;com.mongodb.MongoException: unauthorized db:admin lock type:-1 client:127.0.0.1&lt;br/&gt;
	at com.mongodb.MongoException.parse(MongoException.java:82)&lt;br/&gt;
	at com.mongodb.DBApiLayer$MyCollection.__find(DBApiLayer.java:312)&lt;br/&gt;
	at com.mongodb.DBCursor._check(DBCursor.java:369)&lt;br/&gt;
	at com.mongodb.DBCursor._hasNext(DBCursor.java:498)&lt;br/&gt;
	at com.mongodb.DBCursor.hasNext(DBCursor.java:523)&lt;br/&gt;
	at org.mongo.jmongob.DocView$2.doRun(DocView.java:328)&lt;br/&gt;
	at org.mongo.jmongob.DbJob$1.doInBackground(DbJob.java:62)&lt;br/&gt;
	at javax.swing.SwingWorker$1.call(SwingWorker.java:291)&lt;br/&gt;
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)&lt;br/&gt;
	at java.util.concurrent.FutureTask.run(FutureTask.java:166)&lt;br/&gt;
	at javax.swing.SwingWorker.run(SwingWorker.java:330)&lt;br/&gt;
	at com.edgytech.swingfast.ScalableThreadPool$ScalableThreadpoolWorker.run(ScalableThreadPool.java:48)&lt;br/&gt;
	at java.lang.Thread.run(Thread.java:679)&lt;/p&gt;

&lt;p&gt;with master:&lt;/p&gt;

&lt;p&gt;com.mongodb.CommandResult$CommandFailure: command failed [command failed &lt;span class=&quot;error&quot;&gt;&amp;#91;mapreduce&amp;#93;&lt;/span&gt; &lt;/p&gt;
{ &quot;serverUsed&quot; : &quot;localhost:27017&quot; , &quot;errmsg&quot; : &quot;exception: unauthorized db:admin lock type:1 client:127.0.0.1&quot; , &quot;code&quot; : 10057 , &quot;ok&quot; : 0.0}
&lt;p&gt;	at com.mongodb.CommandResult.getException(CommandResult.java:75)&lt;br/&gt;
	at com.mongodb.CommandResult.throwOnError(CommandResult.java:121)&lt;br/&gt;
	at org.mongo.jmongob.CollectionPanel$3.doRun(CollectionPanel.java:345)&lt;br/&gt;
	at org.mongo.jmongob.DbJob$1.doInBackground(DbJob.java:62)&lt;br/&gt;
	at javax.swing.SwingWorker$1.call(SwingWorker.java:291)&lt;br/&gt;
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)&lt;br/&gt;
	at java.util.concurrent.FutureTask.run(FutureTask.java:166)&lt;br/&gt;
	at javax.swing.SwingWorker.run(SwingWorker.java:330)&lt;br/&gt;
	at com.edgytech.swingfast.ScalableThreadPool$ScalableThreadpoolWorker.run(ScalableThreadPool.java:48)&lt;br/&gt;
	at java.lang.Thread.run(Thread.java:679)&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                            <attachment id="14173" name="StatMaker.js" size="11229" author="benedicht" created="Sun, 18 Dec 2011 07:16:17 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Sat, 17 Dec 2011 19:34:03 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        12 years, 8 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            12 years, 8 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>antoine</customfieldvalue>
            <customfieldvalue>auto</customfieldvalue>
            <customfieldvalue>benedicht</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrojev:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrgcmn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>8955</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|ht0con:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>