javascriptEnabled false does not seem to take effect
asho...@ciscoitd.com
> db.version()
3.4.2
Command being executed to start:
-------------------
/usr/bin/mongod --config /etc/mongod.conf
Mongodb startup log snippet:
-------------------
options: { config: "/etc/mongod.conf", net: { bindIp: "0.0.0.0", port: 27017, ssl: { CAFile: "***", PEMKeyFile: "***", allowInvalidHostnames:
true, mode: "requireSSL" } }, security: { javascriptEnabled: false }, storage: { dbPath: "/mongodb/db", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/mongodb/log/mongodb.log" } }
2017-09-15T01:36:06.358+0000 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=12554M,session_max=20000,eviction=(threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(cl
ose_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0)
/etc/mongod.conf
----------------
security:
javascriptEnabled: false
Issue:
-----
> load("/test.js")
In test.js
true
Why does MongoDB allow the test.js file to execute when javascriptEnabled is set to false?
thank you for any pointers/help.
Ashok
Brian Moss
Hi Ashok,
The important distinction in this case is between server and client contexts. The security.javascriptEnabled option disables server-side JavaScript execution, but does not affect execution in a client such as the mongo shell.
The mongo shell is an interactive JavaScript interface to MongoDB that is similar in many respects to the drivers that interact with MongoDB. For example, running a command in the shell presents the same security risks as running that command using the Python driver. To control access to your database server from the mongo shell or another application, MongoDB provides authentication and authorization options.
Certain MongoDB operations, such as the $where query operator, the mapReduce command and db.collection.mapReduce() method, and the group command and db.collection.group() method, permit the running of arbitrary server-side JavaScript. The security.javascriptEnabled option disables JavaScript execution by these operations.
Evaluating JavaScript in these commands has some performance disadvantages and may present a security risk, so you should only use them when you cannot express your query with standard MongoDB commands and operators.
If you attempt to use JavaScript in one of these commands with security.javascriptEnabled set to false, the operation fails:
> db.collection.insertOne( { _id: 1 } );
> db.collection.find( { $where: "this._id == 1" } );
Error: error: {
"ok": 0,
"errmsg": "no globalScriptEngine in $where parsing",
"code": 2,
"codeName": "BadValue"
}
Cheers,
Brian