Restrict `explain` to the master key #7519

mstniy · 2021-08-24T11:19:58Z

New Feature / Enhancement Checklist

I am not disclosing a vulnerability.
I am not just asking a question.
I have searched through existing issues.

Current Limitation

Currently, any user is able to run a query with the explain parameter and obtain the raw result returned by MongoDB. This discloses too much information to the clients, nor is it of great utility to them.

Feature / Enhancement Description

The use of the explain parameter should be restricted to the master key. We can use the deprecator to shift to the new behavior gradually.

Example Use Case

n/a

Alternatives / Workarounds

n/a

3rd Party References

n/a

The text was updated successfully, but these errors were encountered:

mtrezza · 2021-08-24T12:18:42Z

Thanks for opening this issue!

Makes sense to me, would you want to open a PR for this?

mtrezza added the 🧬 enhancement label Aug 24, 2021

This was referenced Aug 24, 2021

refactor(query): deprecate explain without master key #7520

Closed

refactor(query): deprecate explain without master key #7521

Open

mtrezza added the bounty:$10 Bounty applies for fixing this issue (Parse Bounty Program) label Oct 7, 2021

mtrezza added type:feature New feature or improvement of existing feature and removed type:improvement labels Dec 6, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Restrict `explain` to the master key #7519

Restrict `explain` to the master key #7519

mstniy commented Aug 24, 2021

mtrezza commented Aug 24, 2021

Restrict explain to the master key #7519

Restrict explain to the master key #7519

Comments

mstniy commented Aug 24, 2021

New Feature / Enhancement Checklist

Current Limitation

Feature / Enhancement Description

Example Use Case

Alternatives / Workarounds

3rd Party References

mtrezza commented Aug 24, 2021

Restrict `explain` to the master key #7519

Restrict `explain` to the master key #7519