-
Type: Improvement
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: 2.5.2
-
Component/s: Aggregation Framework, Querying, Security, Write Ops
-
None
-
Query Optimization
The aggregation framework supports a syntax with dollar sign field name selection on the right-hand side. This creates a potential for an injection style attack analogous to sql injection.
There is now a $literal operator (SERVER-5782). However the claim of this ticket is that that isn't sufficient. It does solve an issue – you can use dollar signs in literals – but doesn't really solve the injection issue. The client side if smart enough always to use $literal could just as easily look for leading dollar signs instead for example.
Of particular importance here would be if the aggregation framework syntax migrates into the regular query syntax. Then if one failed to use $literal, it would be likely there would be a good number of apps out there with an injection vulnerability either with projection or querying.
One solution would be to use a lhs rather than rhs operator e.g. :
{ x : "$foo" } ->
{ x :
}
The main concern here is if this operator were to move beyond the $project operator phrases and into other things.
- related to
-
SERVER-55509 {example: /regex/} and {example: {$eq: /regex/}} do not mean the same thing
- Backlog
-
SERVER-5782 need a $literal operator to help prevent injection attacks
- Closed