-
Type: Task
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Server Security
-
Security 2024-01-22, Security 2024-02-05, Security 2024-02-19, Security 2024-03-04, Security 2024-09-02, Security 2024-09-16, Security 2024-09-30
-
135
Currently, we have a lot of calls to cc() hidden in our Authentication and Authorization subsystem. However, in this system we should always be operating within a client and operation context, which means we should have the pointer to it somewhere above in the stack. Calling cc() seems like a byproduct of poor design, so we should audit calls to cc() within authz/n and ensure that we are passing a client or opCtx down whenever necessary.