On Wed, Dec 06, 2023 at 07:06:30PM -0500, Wietse Venema via Postfix-devel wrote:
> I have been adding text to the mongodb_table that any text pasted > in the place of a %letter directive in result_format will be subject > to escaping, that is, Postfix inserts a backslash character before > a double quote or backslash character. > > This ensures that the result will have the same structure as > result_format: each string in the result_format is still exactly > one string in the result, and each special character {}[], etc. is > still exactly one in the result. An attacker cannot 'control' how > the result will be processed. > > What about projections? Given > > projection = { "_id":0, "mail_path": {"$concat": ["$domain", "/", > "$local_part"]} } > > what if $domains contains > > foo"]}, nasty stuff... > Here "$domain" is a *field name* from the JSON schema. The `$concat` operator will use the associated response element as part of constructing a the value of the "mail_path" element of the response. I don't think there's a problem here as such. However, I am concerned about the use of `bson_new_from_json()` and its need to quote the MongoDB operators. This feels completely unnatural. How is there then a distinction between: $or: [...] and "$or": [...] the latter should be a verbatim key called "$or", not a MongoDB operator. How do we avoid having issues with inputs that contain a leading "$", or are the leading "$" signs only special in the JSON object key, rather than the value? This needs to be understood and documented. As well as clarifying any potential confusion around projections... -- Viktor. _______________________________________________ Postfix-devel mailing list -- postfix-devel@postfix.org To unsubscribe send an email to postfix-devel-le...@postfix.org