Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mongoose query condition abuse vulnerability. #8222

Closed
xiaofen9 opened this issue Oct 7, 2019 · 4 comments
Closed

Mongoose query condition abuse vulnerability. #8222

xiaofen9 opened this issue Oct 7, 2019 · 4 comments
Labels
confirmed-bug We've confirmed this is a bug in Mongoose and will fix it.
Milestone
5.7.5

Comments

@xiaofen9
Copy link

xiaofen9 commented Oct 7, 2019
edited
Loading

Do you want to request a feature or report a bug?
Vulnerability

What is the current behavior?
With this vulnerability, an attacker might steal sensitive data/bypass authentication in nodejs applications that use mongoose as front end.

When injecting "_bsontype" attribute to a query object (e.g., id in find(id)), Mongoose will directly ignore the query object. This can be abused since most nodejs applications treat user input as an object. For example, an attacker can force the query filter condition to be null by adding another attribute (_bsontype) to the user-input data. By doing this, an attacker can log into other users' accounts or bypass the token verification logics during password reset[1]. Even though Mongoose checks the query object according to the scheme when querying in the form of findOne(id:id_object), the vulnerability can still be exploited if developers do queries like findOne(id).

Similar issues are also found it Mongodb, and we have reported it. However, just to be safe, my suggestion is that mongoose should also filter _bsontype before invoking mongodb since _bsontype is an internal attribute used by mongodb.

[1] https://github.com/Jerenaux/phaserquest/blob/a7ea970c7ef965adcdde29907a872c104b9f8508/js/server/GameServer.js#L278

If the current behavior is a bug, please provide the steps to reproduce.
Proof of Concept

const mongoose = require('mongoose');
mongoose.connect('mongodb://localhost/bsontype', {useNewUrlParser: true});

const Schema = mongoose.Schema;
const ObjectId = Schema.ObjectId;

const userSchema = new Schema({
	  author: ObjectId,
	  username: String,
	  password: String,
	  token: String
},);

const users = mongoose.model('users', userSchema);
token = {"t":"wrongToken","_bsontype":"a"};
users.findOne(token, function (err, res) {
	console.log(res);
});

What are the versions of Node.js, Mongoose and MongoDB you are using? Note that "latest" is not a version.
Mongoose 5.7.3
@xiaofen9 xiaofen9 changed the title Mongoose query Mongoose query condition abuse vulnerability. Oct 7, 2019
@vkarpov15 vkarpov15 added this to the 5.7.5 milestone Oct 9, 2019
@vkarpov15 vkarpov15 added the has repro script There is a repro script, the Mongoose devs need to confirm that it reproduces the issue label Oct 9, 2019
@vkarpov15
Copy link
Collaborator

Good find. This issue goes all the way down to the bson layer that looks like it was fixed in bson 3.0.0, but unfortunately the mongodb driver still uses bson 1.x. We'll work around this in Mongoose 👍

@vkarpov15 vkarpov15 added confirmed-bug We've confirmed this is a bug in Mongoose and will fix it. and removed has repro script There is a repro script, the Mongoose devs need to confirm that it reproduces the issue labels Oct 9, 2019
vkarpov15 added a commit that referenced this issue Oct 9, 2019
@vkarpov15
test(query): repro #8222
cc10e0d
@tomgrossman
Copy link

@vkarpov15 how is this not a braking change? queries like findOne(id) are not working since version 5.7.5

@vkarpov15
Copy link
Collaborator

@tomgrossman can you please open up a separate issue with code samples? If this was a breaking change, it was not an intentional one and we'll fix it ASAP.

@tomgrossman tomgrossman mentioned this issue Oct 22, 2019
Closed
@tomgrossman
Copy link

@vkarpov15
done
#8268

vkarpov15 added a commit that referenced this issue Jul 12, 2020
@vkarpov15
fix(query): delete top-level _bsontype property in queries to preve…
f88eb25 
…nt silent empty queries

Backport fix for #8222
Fix #8241
This was referenced Mar 11, 2021
Merged
Open
Open
Closed
Merged
Open
Merged
Closed
Closed
Merged
Merged
Closed
Closed
Open
Open
This was referenced Mar 18, 2021
Merged
Closed
@github-actions github-actions bot mentioned this issue May 11, 2022
Closed
@github-actions github-actions bot mentioned this issue Aug 1, 2022
Open
vkarpov15 added a commit that referenced this issue Sep 5, 2022
@vkarpov15
test: check if #8222 error is caught in Deno re: #9056
c13f2a6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confirmed-bug We've confirmed this is a bug in Mongoose and will fix it.
Projects
None yet
Milestone
5.7.5
Development

No branches or pull requests
3 participants
@vkarpov15 @tomgrossman @xiaofen9