Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11015

REST queries on documents containing javascript content returns incorrect JSON

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Critical - P2 Critical - P2
    • 2.5.5
    • Affects Version/s: 2.4.3
    • Component/s: HTTP Console, Internal Code
    • None
    • Environment:
      platform independant
    • ALL
    • Hide

      Issue reproduced via this specific use case:

      1/ enable REST on the database
      2/ create a database (let's say "demo")
      3/ enable profiling on this database (level 2 to profile everything)
      4/ execute a javascript file on the database

      Arbitrary example:

      var i = 0;
      while(i<1){
      db.runCommand( {
      eval: function(name, incAmount) {
      var doc =

      { name : name , num : 0 , total : 0 , avg : incAmount }

      ;
      db.collection1.save( doc );
      return doc;
      },
      args: [ "eliot", i ]
      }
      );
      i++;
      }

      5/ do a REST query on the "system.profile" collection for "demo"

      (for example: http://localhost:28017/demo/system.profile/)

      Resulting JSON is incorrect (javascript command is not escaped)

      See attached file "json_profiles.json".

      Show
      Issue reproduced via this specific use case: 1/ enable REST on the database 2/ create a database (let's say "demo") 3/ enable profiling on this database (level 2 to profile everything) 4/ execute a javascript file on the database Arbitrary example: var i = 0; while(i<1){ db.runCommand( { eval: function(name, incAmount) { var doc = { name : name , num : 0 , total : 0 , avg : incAmount } ; db.collection1.save( doc ); return doc; }, args: [ "eliot", i ] } ); i++; } 5/ do a REST query on the "system.profile" collection for "demo" (for example: http://localhost:28017/demo/system.profile/ ) Resulting JSON is incorrect (javascript command is not escaped) See attached file "json_profiles.json".

      If the content of a JSON document value is javascript, the result of a query via the REST interface does not escape this javascript content.
      Resulting content is not correct JSON.

      (tested via a query on "system.profiles" collection -> profiles having commands with javascript content).

        1. json_profiles.json.txt
          0.6 kB

            Assignee:
            sverch Shaun Verch
            Reporter:
            david_fr David Regnier
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: