Uploaded image for project: 'Mongoid'
  1. Mongoid
  2. MONGOID-4689

Mongoid::Criteria#find searches globally, does not restrict to criteria

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 7.1.0.rc0
    • Affects Version/s: 7.0.2
    • Component/s: Query
    • Environment:
      Rails 5.2.2, Mongoid 7.0.2, MongoDB 3.6

       Using a minimal

      # app/models/thing.rb
class Thing
  include Mongoid::Document
end

      I obtain results from #find which do not match the criteria:
       

      2.5.3 :001 > thing1 = Thing.create!
 => #<Thing _id: 5c45ed89a8f843354e3bc05a, > 
2.5.3 :002 > thing2 = Thing.create!
 => #<Thing _id: 5c45ed8ba8f843354e3bc05b, > 
2.5.3 :003 > Thing.where(id: thing1.id.to_s).count
 => 1 
2.5.3 :004 > Thing.where(id: thing1.id.to_s).map(&:id)
 => [BSON::ObjectId('5c45ed89a8f843354e3bc05a')] 
2.5.3 :005 > Thing.where(id: thing1.id.to_s).find(thing2.id.to_s)         # I'd expect 'nil'
 => #<Thing _id: 5c45ed8ba8f843354e3bc05b, >

      Here Mongoid::Criteria#find returned a result beyond the scope of the criteria in contradition to its documentation: "Find the matchind document(s) in the criteria for the provided ids."

      In applications where developers trusted Mongoid::Criteria#find to only render results within the criteria, this bug may well lead to application users being able to access data which they should not be able to access otherwise. Hence this bug is relevant for information security and data protection.

            Assignee:
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Reporter:
            larnold@givve.com Leo Arnold
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: