Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10840

injection is too easy with agg framework syntax

    • Query Optimization

      The aggregation framework supports a syntax with dollar sign field name selection on the right-hand side. This creates a potential for an injection style attack analogous to sql injection.

      There is now a $literal operator (SERVER-5782). However the claim of this ticket is that that isn't sufficient. It does solve an issue – you can use dollar signs in literals – but doesn't really solve the injection issue. The client side if smart enough always to use $literal could just as easily look for leading dollar signs instead for example.

      Of particular importance here would be if the aggregation framework syntax migrates into the regular query syntax. Then if one failed to use $literal, it would be likely there would be a good number of apps out there with an injection vulnerability either with projection or querying.

      One solution would be to use a lhs rather than rhs operator e.g. :

      { x : "$foo" }

      ->
      { x :

      { $get : "foo" }

      }

      The main concern here is if this operator were to move beyond the $project operator phrases and into other things.

            Assignee:
            backlog-query-optimization [DO NOT USE] Backlog - Query Optimization
            Reporter:
            dwight@mongodb.com Dwight Merriman
            Votes:
            0 Vote for this issue
            Watchers:
            16 Start watching this issue

              Created:
              Updated: