-
Type: Bug
-
Resolution: Fixed
-
Priority: Critical - P2
-
Affects Version/s: 7.0.2
-
Component/s: Query
-
Environment:Rails 5.2.2, Mongoid 7.0.2, MongoDB 3.6
Using a minimal
# app/models/thing.rb class Thing include Mongoid::Document end
I obtain results from #find which do not match the criteria:
2.5.3 :001 > thing1 = Thing.create! => #<Thing _id: 5c45ed89a8f843354e3bc05a, > 2.5.3 :002 > thing2 = Thing.create! => #<Thing _id: 5c45ed8ba8f843354e3bc05b, > 2.5.3 :003 > Thing.where(id: thing1.id.to_s).count => 1 2.5.3 :004 > Thing.where(id: thing1.id.to_s).map(&:id) => [BSON::ObjectId('5c45ed89a8f843354e3bc05a')] 2.5.3 :005 > Thing.where(id: thing1.id.to_s).find(thing2.id.to_s) # I'd expect 'nil' => #<Thing _id: 5c45ed8ba8f843354e3bc05b, >
Here Mongoid::Criteria#find returned a result beyond the scope of the criteria in contradition to its documentation: "Find the matchind document(s) in the criteria for the provided ids."
In applications where developers trusted Mongoid::Criteria#find to only render results within the criteria, this bug may well lead to application users being able to access data which they should not be able to access otherwise. Hence this bug is relevant for information security and data protection.
- is related to
-
MONGOID-5329 Ability to remove default scope from Criteria
- Backlog
- related to
-
MONGOID-4539 #create_with attrs should not be used in where query
- Closed
- links to