CDRIVER-4083 + CDRIVER-4138 (#856)

Author: kevinAlbs

src/libbson/src/bson/bson-json.c

@@ -970,6 +970,34 @@ _bson_json_parse_binary_elem (bson_json_reader_t *reader,
    }
 }
 
+static bool
+_bson_json_allow_embedded_nulls (bson_json_reader_t const *reader)
+{
+   const bson_json_read_state_t read_state = reader->bson.read_state;
+   const bson_json_read_bson_state_t bson_state = reader->bson.bson_state;
+
+   if (read_state == BSON_JSON_IN_BSON_TYPE_REGEX_VALUES) {
+      if (bson_state == BSON_JSON_LF_REGULAR_EXPRESSION_PATTERN ||
+          bson_state == BSON_JSON_LF_REGULAR_EXPRESSION_OPTIONS) {
+         /* Prohibit embedded NULL bytes for canonical extended regex:
+          * { $regularExpression: { pattern: "pattern", options: "options" } }
+          */
+         return false;
+      }
+   }
+
+   if (read_state == BSON_JSON_IN_BSON_TYPE) {
+      if (bson_state == BSON_JSON_LF_REGEX ||
+          bson_state == BSON_JSON_LF_OPTIONS) {
+         /* Prohibit embedded NULL bytes for legacy regex:
+          * { $regex: "pattern", $options: "options" } */
+         return false;
+      }
+   }
+
+   /* Embedded nulls are okay in any other context */
+   return true;
+}
 
 static void
 _bson_json_read_string (bson_json_reader_t *reader, /* IN */
@@ -978,13 +1006,14 @@ _bson_json_read_string (bson_json_reader_t *reader, /* IN */
 {
    bson_json_read_state_t rs;
    bson_json_read_bson_state_t bs;
+   const bool allow_null = _bson_json_allow_embedded_nulls (reader);
 
    BASIC_CB_PREAMBLE;
 
    rs = bson->read_state;
    bs = bson->bson_state;
 
-   if (!bson_utf8_validate ((const char *) val, vlen, true /*allow null*/)) {
+   if (!bson_utf8_validate ((const char *) val, vlen, allow_null)) {
       _bson_json_read_corrupt (reader, "invalid bytes in UTF8 string");
       return;
    }
@@ -1269,7 +1298,7 @@ _bson_json_read_map_key (bson_json_reader_t *reader, /* IN */
 {
    bson_json_reader_bson_t *bson = &reader->bson;
 
-   if (!bson_utf8_validate ((const char *) val, len, true /* allow null */)) {
+   if (!bson_utf8_validate ((const char *) val, len, false /* allow null */)) {
       _bson_json_read_corrupt (reader, "invalid bytes in UTF8 string");
       return;
    }

src/libbson/src/bson/bson.c

@@ -415,6 +415,28 @@ _bson_append (bson_t *bson,              /* IN */
    return ok;
 }
 
+static BSON_INLINE bool
+_string_contains_null (const char *str, size_t len)
+{
+   for (; len; ++str, --len) {
+      if (*str == 0) {
+         return true;
+      }
+   }
+   return false;
+}
+
+#define HANDLE_KEY_LENGTH(key, key_length)                                \
+   do {                                                                   \
+      if (key_length < 0) {                                               \
+         key_length = (int) strlen (key);                                 \
+      } else {                                                            \
+         /* Necessary to validate embedded NULL is not present in key. */ \
+         if (_string_contains_null (key, key_length)) {                   \
+            return false;                                                 \
+         }                                                                \
+      }                                                                   \
+   } while (0)
 
 /*
  *--------------------------------------------------------------------------
@@ -457,9 +479,7 @@ _bson_append_bson_begin (bson_t *bson,           /* IN */
                 (child_type == BSON_TYPE_ARRAY));
    BSON_ASSERT (child);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    /*
     * If the parent is an inline bson_t, then we need to convert
@@ -743,9 +763,7 @@ bson_append_array (bson_t *bson,        /* IN */
    BSON_ASSERT (key);
    BSON_ASSERT (array);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    /*
     * Let's be a bit pedantic and ensure the array has properly formatted key
@@ -818,9 +836,7 @@ bson_append_binary (bson_t *bson,           /* IN */
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    subtype8 = subtype;
 
@@ -896,9 +912,7 @@ bson_append_bool (bson_t *bson,    /* IN */
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    return _bson_append (bson,
                         4,
@@ -950,9 +964,7 @@ bson_append_code (bson_t *bson,           /* IN */
    BSON_ASSERT (key);
    BSON_ASSERT (javascript);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    length = (int) strlen (javascript) + 1;
    length_le = BSON_UINT32_TO_LE (length);
@@ -1011,9 +1023,7 @@ bson_append_code_with_scope (bson_t *bson,           /* IN */
       return bson_append_code (bson, key, key_length, javascript);
    }
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    js_length = (int) strlen (javascript) + 1;
    js_length_le = BSON_UINT32_TO_LE (js_length);
@@ -1075,9 +1085,7 @@ bson_append_dbpointer (bson_t *bson,           /* IN */
    BSON_ASSERT (collection);
    BSON_ASSERT (oid);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    length = (int) strlen (collection) + 1;
    length_le = BSON_UINT32_TO_LE (length);
@@ -1134,9 +1142,7 @@ bson_append_document (bson_t *bson,        /* IN */
    BSON_ASSERT (key);
    BSON_ASSERT (value);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    return _bson_append (bson,
                         4,
@@ -1160,9 +1166,7 @@ bson_append_double (bson_t *bson, const char *key, int key_length, double value)
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
 #if BSON_BYTE_ORDER == BSON_BIG_ENDIAN
    value = BSON_DOUBLE_TO_LE (value);
@@ -1191,9 +1195,7 @@ bson_append_int32 (bson_t *bson, const char *key, int key_length, int32_t value)
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    value_le = BSON_UINT32_TO_LE (value);
 
@@ -1220,9 +1222,7 @@ bson_append_int64 (bson_t *bson, const char *key, int key_length, int64_t value)
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    value_le = BSON_UINT64_TO_LE (value);
 
@@ -1253,9 +1253,7 @@ bson_append_decimal128 (bson_t *bson,
    BSON_ASSERT (key);
    BSON_ASSERT (value);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    value_le[0] = BSON_UINT64_TO_LE (value->low);
    value_le[1] = BSON_UINT64_TO_LE (value->high);
@@ -1439,9 +1437,7 @@ bson_append_maxkey (bson_t *bson, const char *key, int key_length)
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    return _bson_append (
       bson, 3, (1 + key_length + 1), 1, &type, key_length, key, 1, &gZero);
@@ -1456,9 +1452,7 @@ bson_append_minkey (bson_t *bson, const char *key, int key_length)
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    return _bson_append (
       bson, 3, (1 + key_length + 1), 1, &type, key_length, key, 1, &gZero);
@@ -1473,9 +1467,7 @@ bson_append_null (bson_t *bson, const char *key, int key_length)
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    return _bson_append (
       bson, 3, (1 + key_length + 1), 1, &type, key_length, key, 1, &gZero);
@@ -1494,9 +1486,7 @@ bson_append_oid (bson_t *bson,
    BSON_ASSERT (key);
    BSON_ASSERT (value);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    return _bson_append (bson,
                         4,
@@ -1573,12 +1563,15 @@ bson_append_regex_w_len (bson_t *bson,
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    if (regex_length < 0) {
       regex_length = (int) strlen (regex);
+   } else {
+      /* Necessary to validate embedded NULL is not present in key. */
+      if (_string_contains_null (regex, regex_length)) {
+         return false;
+      }
    }
 
    if (!regex) {
@@ -1630,9 +1623,7 @@ bson_append_utf8 (
       return bson_append_null (bson, key, key_length);
    }
 
-   if (BSON_UNLIKELY (key_length < 0)) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    if (BSON_UNLIKELY (length < 0)) {
       length = (int) strlen (value);
@@ -1672,9 +1663,7 @@ bson_append_symbol (
       return bson_append_null (bson, key, key_length);
    }
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    if (length < 0) {
       length = (int) strlen (value);
@@ -1729,9 +1718,7 @@ bson_append_timestamp (bson_t *bson,
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    value = ((((uint64_t) timestamp) << 32) | ((uint64_t) increment));
    value = BSON_UINT64_TO_LE (value);
@@ -1773,9 +1760,7 @@ bson_append_date_time (bson_t *bson,
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    value_le = BSON_UINT64_TO_LE (value);
 
@@ -1819,9 +1804,7 @@ bson_append_undefined (bson_t *bson, const char *key, int key_length)
    BSON_ASSERT (bson);
    BSON_ASSERT (key);
 
-   if (key_length < 0) {
-      key_length = (int) strlen (key);
-   }
+   HANDLE_KEY_LENGTH (key, key_length);
 
    return _bson_append (
       bson, 3, (1 + key_length + 1), 1, &type, key_length, key, 1, &gZero);

src/libbson/tests/json/bson_corpus/document.json

@@ -51,6 +51,10 @@
         {
             "description": "Invalid subdocument: bad string length in field",
             "bson": "1C00000003666F6F001200000002626172000500000062617A000000"
+        },
+        {
+            "description": "Null byte in sub-document key",
+            "bson": "150000000378000D00000010610000010000000000"
         }
     ]
 }

src/libbson/tests/json/bson_corpus/regex.json

@@ -54,11 +54,11 @@
     ],
     "decodeErrors": [
         {
-            "description": "embedded null in pattern",
+            "description": "Null byte in pattern string",
             "bson": "0F0000000B610061006300696D0000"
         },
         {
-            "description": "embedded null in flags",
+            "description": "Null byte in flags string",
             "bson": "100000000B61006162630069006D0000"
         }
     ]

src/libbson/tests/json/bson_corpus/top-mongoc.json

@@ -0,0 +1,16 @@
+{
+    "description": "Top-level document validity - libmongoc-specific tests. TODO (CDRIVER-4016) move this file.",
+    "bson_type": "0x00",
+    "valid": [],
+    "decodeErrors": [],
+    "parseErrors": [
+        {
+            "description": "Null byte in legacy $regex string",
+            "string": "{\"a\" : {\"$regex\" : \"b\\u0000\", \"$options\" : \"i\"}}"
+        },
+        {
+            "description": "Null byte in legacy $options string",
+            "string": "{\"a\" : {\"$regex\" : \"b\", \"$options\" : \"i\\u0000\"}}"
+        }
+    ]
+}