From 15e127f181a5521305a84c13aa3e9a8148fbf323 Mon Sep 17 00:00:00 2001 From: Sergey Petushkov Date: Wed, 17 Jun 2026 12:43:58 +0200 Subject: [PATCH 1/2] fix(shell-bson-parser): do not allow arbitrary function calls on literals --- packages/shell-bson-parser/src/check.ts | 11 ++++++++- packages/shell-bson-parser/src/index.spec.ts | 24 ++++++++++++-------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/packages/shell-bson-parser/src/check.ts b/packages/shell-bson-parser/src/check.ts index 26fb2c18..3bf149fa 100644 --- a/packages/shell-bson-parser/src/check.ts +++ b/packages/shell-bson-parser/src/check.ts @@ -23,7 +23,16 @@ class Checker { const object = node.callee.object; const property = node.callee.property as Identifier; // If we're only referring to identifiers, we don't need to check deeply. - if (object.type === 'Identifier' && property.type === 'Identifier') { + + if (object.type === 'Literal' && property.type === 'Identifier') { + return ( + isMethodWhitelisted(typeof object.value, property.name) && + node.arguments.every(this.checkSafeExpression) + ); + } else if ( + object.type === 'Identifier' && + property.type === 'Identifier' + ) { return ( isMethodWhitelisted(object.name, property.name) && node.arguments.every(this.checkSafeExpression) diff --git a/packages/shell-bson-parser/src/index.spec.ts b/packages/shell-bson-parser/src/index.spec.ts index 88899ec5..9d003be7 100644 --- a/packages/shell-bson-parser/src/index.spec.ts +++ b/packages/shell-bson-parser/src/index.spec.ts @@ -724,6 +724,20 @@ describe('@mongodb-js/shell-bson-parser', function () { }); }); } + + it('should not allow calling IIFE', function () { + expect( + parse('{ date: (function() { return "10"; })() }', options), + ).to.equal(''); + }); + + it('should prevent attempting to break the sandbox', function () { + const withIdentifier = + "{ exploit: clearImmediate.constructor('return process;')().exit(1) }"; + expect(parse(withIdentifier, options)).to.equal(''); + const withLiteral = `{ exploit: "".toString.constructor('return process;')().exit(1) }`; + expect(parse(withLiteral, options)).to.equal(''); + }); }); describe('Comments', function () { @@ -751,16 +765,6 @@ describe('@mongodb-js/shell-bson-parser', function () { }); }); - it('should not allow calling IIFE', function () { - expect(parse('{ date: (function() { return "10"; })() }')).to.equal(''); - }); - - it('should prevent attempting to break the sandbox', function () { - const input = - "{ exploit: clearImmediate.constructor('return process;')().exit(1) }"; - expect(parse(input)).to.equal(''); - }); - it('should correctly parse NumberLong and Int64 bigger than Number.MAX_SAFE_INTEGER', function () { expect( parse("{ n: NumberLong('345678654321234552') }").n.toString(), From db5c517eb7d3bbbf6a6394dae0eb4347f1d3dd61 Mon Sep 17 00:00:00 2001 From: Sergey Petushkov Date: Wed, 17 Jun 2026 13:44:51 +0200 Subject: [PATCH 2/2] chore: adjust test --- packages/shell-bson-parser/src/index.spec.ts | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/packages/shell-bson-parser/src/index.spec.ts b/packages/shell-bson-parser/src/index.spec.ts index 9d003be7..20da8f1a 100644 --- a/packages/shell-bson-parser/src/index.spec.ts +++ b/packages/shell-bson-parser/src/index.spec.ts @@ -731,12 +731,15 @@ describe('@mongodb-js/shell-bson-parser', function () { ).to.equal(''); }); - it('should prevent attempting to break the sandbox', function () { - const withIdentifier = + it('should prevent attempting to break the sandbox for identifiers', function () { + const input = "{ exploit: clearImmediate.constructor('return process;')().exit(1) }"; - expect(parse(withIdentifier, options)).to.equal(''); - const withLiteral = `{ exploit: "".toString.constructor('return process;')().exit(1) }`; - expect(parse(withLiteral, options)).to.equal(''); + expect(parse(input, options)).to.equal(''); + }); + + it('should prevent attempting to break the sandbox for literals', function () { + const input = `{ exploit: "".toString.constructor('return process;')().exit(1) }`; + expect(parse(input, options)).to.equal(''); }); });