2

Let's say I have two collections in my MongoDB database and an HTTP service which a user can use to submit a JSON object. The parsed json is then used like this:

db.public_collection.find( user_json ).limit(10)

This is performed by a RBAC user without write access.

Using the $where operator, could a user:

  1. Alter records in the collection (I assume RBAC prevents this)?
  2. Alter records in another collection?
  3. Perform a resource-intensive query which caused the server to slow down?
TDN169
  • 1,397
  • 2
  • 13
  • 31
  • I'm not sure what you are asking. If you are executing a find() method and the user has no read access, how can the find command be executed? – Robert Moskal Apr 06 '16 at 15:51
  • Oops, that was a typo - now changed to write access. – TDN169 Apr 06 '16 at 15:53
  • [What should every programmer know about security?](https://stackoverflow.com/questions/2794016/what-should-every-programmer-know-about-security) – styvane Apr 06 '16 at 16:30
  • If you read the [documentation](https://docs.mongodb.org/manual/reference/operator/query/where/#restrictions) then you basically get your answers. 1. No. It's not a "write" operation to begin with so not possible, regardless of access. 2. No ( see 1), and actually has no access to anything other than the current document. 3. As the saying goes *"enough rope to hang yourself"*. The general issues are already covered in ["How does MongoDB avoid the SQL injection mess?"](http://stackoverflow.com/a/5021598/5031275). Notably there are documentation links in the comments to other valid points. – Blakes Seven Apr 08 '16 at 00:11

2 Answers2

0

This is not a great idea. See Testing for NoSQL Injection and NoSQL injection in MongoDB for examples on how this might be abused to create a denial of service attack by injecting javascript functions into the query, or otherwise leak information you didn't intend the user to have access to.

Steven Soroka
  • 19,404
  • 4
  • 52
  • 40
-2

Your RBAC set up would govern access to the HTTP service. Having the mongo find method in function won't allow anything but find/read operations to that particular collection. Nothing precludes the user from specifying an expensive query. However, a query spanning a single collection is unlikely to be super expensive and you are limiting the results to 10.

Robert Moskal
  • 21,737
  • 8
  • 62
  • 86