On Wed, Dec 06, 2023 at 07:06:30PM -0500, Wietse Venema via Postfix-devel wrote:
> I have been adding text to the mongodb_table that any text pasted
> in the place of a %letter directive in result_format will be subject
> to escaping, that is, Postfix inserts a backslash character before
> a double quote or backslash character.
>
> This ensures that the result will have the same structure as
> result_format: each string in the result_format is still exactly
> one string in the result, and each special character {}[], etc. is
> still exactly one in the result. An attacker cannot 'control' how
> the result will be processed.
>
> What about projections? Given
>
> projection = { "_id":0, "mail_path": {"$concat": ["$domain", "/",
> "$local_part"]} }
>
> what if $domains contains
>
> foo"]}, nasty stuff...
>
Here "$domain" is a *field name* from the JSON schema. The `$concat`
operator will use the associated response element as part of
constructing a the value of the "mail_path" element of the response.
I don't think there's a problem here as such.
However, I am concerned about the use of `bson_new_from_json()` and its
need to quote the MongoDB operators. This feels completely unnatural.
How is there then a distinction between:
$or: [...]
and
"$or": [...]
the latter should be a verbatim key called "$or", not a MongoDB
operator. How do we avoid having issues with inputs that contain a
leading "$", or are the leading "$" signs only special in the JSON
object key, rather than the value? This needs to be understood and
documented. As well as clarifying any potential confusion around
projections...
--
Viktor.
_______________________________________________
Postfix-devel mailing list -- postfix-devel@postfix.org
To unsubscribe send an email to postfix-devel-le...@postfix.org
