-
-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mongoose query condition abuse vulnerability. #8222
Comments
Good find. This issue goes all the way down to the bson layer that looks like it was fixed in bson 3.0.0, but unfortunately the mongodb driver still uses bson 1.x. We'll work around this in Mongoose 👍 |
@vkarpov15 how is this not a braking change? queries like |
@tomgrossman can you please open up a separate issue with code samples? If this was a breaking change, it was not an intentional one and we'll fix it ASAP. |
@vkarpov15 |
Do you want to request a feature or report a bug?
Vulnerability
What is the current behavior?
With this vulnerability, an attacker might steal sensitive data/bypass authentication in nodejs applications that use mongoose as front end.
When injecting "_bsontype" attribute to a query object (e.g., id in find(id)), Mongoose will directly ignore the query object. This can be abused since most nodejs applications treat user input as an object. For example, an attacker can force the query filter condition to be null by adding another attribute (_bsontype) to the user-input data. By doing this, an attacker can log into other users' accounts or bypass the token verification logics during password reset[1]. Even though Mongoose checks the query object according to the scheme when querying in the form of findOne(id:id_object), the vulnerability can still be exploited if developers do queries like findOne(id).
Similar issues are also found it Mongodb, and we have reported it. However, just to be safe, my suggestion is that mongoose should also filter _bsontype before invoking mongodb since _bsontype is an internal attribute used by mongodb.
[1] https://github.com/Jerenaux/phaserquest/blob/a7ea970c7ef965adcdde29907a872c104b9f8508/js/server/GameServer.js#L278
If the current behavior is a bug, please provide the steps to reproduce.
Proof of Concept
What are the versions of Node.js, Mongoose and MongoDB you are using? Note that "latest" is not a version.
Mongoose 5.7.3
The text was updated successfully, but these errors were encountered: