Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20362

JS Scopes may leak between synthetic users with '@' in name and database

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 4.3.1
    • Affects Version/s: 3.1.7
    • Component/s: JavaScript
    • Fully Compatible
    • ALL
    • Hide

      Create two users:
      The first shall be named 'x@y' and will exist on 'z'.
      The second shall be named 'x' and will exist on 'y@z'.

      In window 1:

      > use z
      switched to db z
      > db.createUser({user: "x@y", pwd: "pwd", roles: []})
      Successfully added user: { "user" : "x@y", "roles" : [ ] }
      > db.auth("x@y", "pwd")
      1
      > use dbx
      switched to db dbx
      

      In window 2:

      > use y@z
      switched to db y@z
      > db.createUser({user: "x", pwd: "pwd", roles: []})
      Successfully added user: { "user" : "x", "roles" : [ ] }
      > db.auth("x", "pwd")
      2015-09-10T17:51:49.902-0400 I ACCESS   [conn1] Successfully authenticated as principal x on y@z
      1
      > use dbx
      switched to db dbx
      > db.col.insert({})
      WriteResult({ "nInserted" : 1 })
      > db.col.find({$where: "globalThing = \"B\"; return true"})
      

      Back in the first window:

      db.col.find({$where: "print(globalThing); globalThing = \"A\"; return true"})
      

      Mongod will print "B".

      Show
      Create two users: The first shall be named 'x@y' and will exist on 'z'. The second shall be named 'x' and will exist on 'y@z'. In window 1: > use z switched to db z > db.createUser({user: "x@y", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x@y", "roles" : [ ] } > db.auth("x@y", "pwd") 1 > use dbx switched to db dbx In window 2: > use y@z switched to db y@z > db.createUser({user: "x", pwd: "pwd", roles: []}) Successfully added user: { "user" : "x", "roles" : [ ] } > db.auth("x", "pwd") 2015-09-10T17:51:49.902-0400 I ACCESS [conn1] Successfully authenticated as principal x on y@z 1 > use dbx switched to db dbx > db.col.insert({}) WriteResult({ "nInserted" : 1 }) > db.col.find({$where: "globalThing = \"B\"; return true"}) Back in the first window: db.col.find({$where: "print(globalThing); globalThing = \"A\"; return true"}) Mongod will print "B".
    • Security 15 (06/03/16), Security 2020-02-10, Security 2020-02-24

      The ScopePool identifies the scope it should acquire from its map by creating a key with the following structure:

      <db><JSOperation>[\0<user>@<db>]
      

      As '@' is a legal character in both <user> and <db>, it is possible to construct two users so as to cause a collision.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: