Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mongoose query condition abuse vulnerability. #8222

Closed
xiaofen9 opened this issue Oct 7, 2019 · 4 comments
Closed

Mongoose query condition abuse vulnerability. #8222

xiaofen9 opened this issue Oct 7, 2019 · 4 comments
Labels
confirmed-bug We've confirmed this is a bug in Mongoose and will fix it.
Milestone

Comments

@xiaofen9
Copy link

xiaofen9 commented Oct 7, 2019

Do you want to request a feature or report a bug?
Vulnerability

What is the current behavior?
With this vulnerability, an attacker might steal sensitive data/bypass authentication in nodejs applications that use mongoose as front end.

When injecting "_bsontype" attribute to a query object (e.g., id in find(id)), Mongoose will directly ignore the query object. This can be abused since most nodejs applications treat user input as an object. For example, an attacker can force the query filter condition to be null by adding another attribute (_bsontype) to the user-input data. By doing this, an attacker can log into other users' accounts or bypass the token verification logics during password reset[1]. Even though Mongoose checks the query object according to the scheme when querying in the form of findOne(id:id_object), the vulnerability can still be exploited if developers do queries like findOne(id).

Similar issues are also found it Mongodb, and we have reported it. However, just to be safe, my suggestion is that mongoose should also filter _bsontype before invoking mongodb since _bsontype is an internal attribute used by mongodb.

[1] https://github.com/Jerenaux/phaserquest/blob/a7ea970c7ef965adcdde29907a872c104b9f8508/js/server/GameServer.js#L278

If the current behavior is a bug, please provide the steps to reproduce.
Proof of Concept

const mongoose = require('mongoose');
mongoose.connect('mongodb://localhost/bsontype', {useNewUrlParser: true});

const Schema = mongoose.Schema;
const ObjectId = Schema.ObjectId;

const userSchema = new Schema({
	  author: ObjectId,
	  username: String,
	  password: String,
	  token: String
},);

const users = mongoose.model('users', userSchema);
token = {"t":"wrongToken","_bsontype":"a"};
users.findOne(token, function (err, res) {
	console.log(res);
});

What are the versions of Node.js, Mongoose and MongoDB you are using? Note that "latest" is not a version.
Mongoose 5.7.3

@xiaofen9 xiaofen9 changed the title Mongoose query Mongoose query condition abuse vulnerability. Oct 7, 2019
@vkarpov15 vkarpov15 added this to the 5.7.5 milestone Oct 9, 2019
@vkarpov15 vkarpov15 added the has repro script There is a repro script, the Mongoose devs need to confirm that it reproduces the issue label Oct 9, 2019
@vkarpov15
Copy link
Collaborator

Good find. This issue goes all the way down to the bson layer that looks like it was fixed in bson 3.0.0, but unfortunately the mongodb driver still uses bson 1.x. We'll work around this in Mongoose 👍

@vkarpov15 vkarpov15 added confirmed-bug We've confirmed this is a bug in Mongoose and will fix it. and removed has repro script There is a repro script, the Mongoose devs need to confirm that it reproduces the issue labels Oct 9, 2019
vkarpov15 added a commit that referenced this issue Oct 9, 2019
@tomgrossman
Copy link

@vkarpov15 how is this not a braking change? queries like findOne(id) are not working since version 5.7.5

@vkarpov15
Copy link
Collaborator

@tomgrossman can you please open up a separate issue with code samples? If this was a breaking change, it was not an intentional one and we'll fix it ASAP.

@tomgrossman
Copy link

@vkarpov15
done
#8268

vkarpov15 added a commit that referenced this issue Jul 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed-bug We've confirmed this is a bug in Mongoose and will fix it.
Projects
None yet
Development

No branches or pull requests

3 participants