Summary

I discovered this while investigating a similar issue in PHPLIB-1129, some of which is dependent on libmongoc (update operations) and not (findAndModify, which is entirely in PHPLIB).

CDRIVER-3063 implemented support for update pipelines. Since documents and arrays are both represented as bson_t structs, libmongoc relies on _mongoc_document_is_pipeline to infer whether something looks like a pipeline or not.Interestingly, this is only used for validating a parameter for update (e.g. updateOne, updateMany), and isn't used for replacement validation. In other words, update/replacement parameters are not mutually exclusive and it would seem that something resembling a pipeline could be used as a valid replacement argument.

Furthermore, when libmongoc appends the update/replacement/pipeline parameter on the wire, it decides to use a BSON array or document type based on _mongoc_document_is_pipeline (see: _mongoc_write_command_update_append). This makes it possible for a replace operation to inadvertently execute an update pipeline, as demonstrated in kevinAlbs/c-bootstrap.

The findAndModify helper does something similar in mongoc_collection_find_and_modify_with_opts, but it's seemingly less of a problem there since libmongoc doesn't implement the CRUD API – so there's no notion of findOneAndUpdate or findOneAndReplace.

Environment

libmongoc 1.23.5, although reproducible in versions since 1.15 (when CDRIVER-3063 was implemented).

How to Reproduce

See: https://github.com/kevinAlbs/c-bootstrap/blob/master/investigations/PHPLIB-1129/main.c