Samin061 opened a new pull request, #5109:
URL: https://github.com/apache/calcite/pull/5109

   ## Changes Proposed
   
   **MongoDB pipeline injection through unescaped quotes in pushed-down field 
references**
   
   The Mongo adapter renders `$project`/`$group` stages as strings that are 
later parsed with `BsonDocument.parse`. `MongoRules.quote` wrapped a value in 
single quotes but left embedded single quotes and backslashes untouched (the 
old `// TODO: handle embedded quotes`), and the `ITEM` path that handles 
`_MAP['key']` built `'$key'` the same way. Since the item key and field names 
come straight from the SQL statement, a value carrying a single quote closes 
the quoted token early and the rest is parsed as further pipeline syntax.
   
   Reproduction: a projection such as `SELECT _MAP['x'', evil: {$literal: 1}, 
y: ''z'] FROM mongo` generates `{$project: {..., evil: {$literal: 1}, ...}}`, 
so an extra stage field lands in the pipeline sent to MongoDB. After the fix 
the key stays a single string.
   
   The escaping lives in `quote` because that is the one place every field 
reference passes through; the item-key branch now routes through it, and the 
aggregate paths already call it. Added a unit test that fails on the old code.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to