Samin061 opened a new pull request, #5109:
URL: https://github.com/apache/calcite/pull/5109
## Changes Proposed
**MongoDB pipeline injection through unescaped quotes in pushed-down field
references**
The Mongo adapter renders `$project`/`$group` stages as strings that are
later parsed with `BsonDocument.parse`. `MongoRules.quote` wrapped a value in
single quotes but left embedded single quotes and backslashes untouched (the
old `// TODO: handle embedded quotes`), and the `ITEM` path that handles
`_MAP['key']` built `'$key'` the same way. Since the item key and field names
come straight from the SQL statement, a value carrying a single quote closes
the quoted token early and the rest is parsed as further pipeline syntax.
Reproduction: a projection such as `SELECT _MAP['x'', evil: {$literal: 1},
y: ''z'] FROM mongo` generates `{$project: {..., evil: {$literal: 1}, ...}}`,
so an extra stage field lands in the pipeline sent to MongoDB. After the fix
the key stays a single string.
The escaping lives in `quote` because that is the one place every field
reference passes through; the item-key branch now routes through it, and the
aggregate paths already call it. Added a unit test that fails on the old code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]