CSHARP-2760: All binary message encoders should verify the opcode when decoding a message

Author: MikalaiMazurenka

src/MongoDB.Driver.Core/Core/WireProtocol/Messages/Encoders/BinaryEncoders/DeleteMessageBinaryEncoder.cs

@@ -15,7 +15,6 @@
 
 using System;
 using System.IO;
-using System.Text;
 using MongoDB.Bson;
 using MongoDB.Bson.IO;
 using MongoDB.Bson.Serialization;
@@ -69,7 +68,8 @@ internal DeleteMessage ReadMessage<TDocument>(IBsonSerializer<TDocument> seriali
             stream.ReadInt32(); // messageSize
             var requestId = stream.ReadInt32();
             stream.ReadInt32(); // responseTo
-            stream.ReadInt32(); // opcode
+            var opcode = (Opcode)stream.ReadInt32();
+            EnsureOpcodeIsValid(opcode);
             stream.ReadInt32(); // reserved
             var fullCollectionName = stream.ReadCString(Encoding);
             var flags = (DeleteFlags)stream.ReadInt32();
@@ -109,6 +109,15 @@ public void WriteMessage(DeleteMessage message)
             stream.BackpatchSize(startPosition);
         }
 
+        // private methods
+        private void EnsureOpcodeIsValid(Opcode opcode)
+        {
+            if (opcode != Opcode.Delete)
+            {
+                throw new FormatException("Delete message opcode is not OP_DELETE.");
+            }
+        }
+
         // explicit interface implementations
         MongoDBMessage IMessageEncoder.ReadMessage()
         {

src/MongoDB.Driver.Core/Core/WireProtocol/Messages/Encoders/BinaryEncoders/GetMoreMessageBinaryEncoder.cs

@@ -15,7 +15,6 @@
 
 using System;
 using System.IO;
-using System.Text;
 using MongoDB.Bson.IO;
 using MongoDB.Driver.Core.Misc;
 
@@ -50,7 +49,8 @@ public GetMoreMessage ReadMessage()
             stream.ReadInt32(); // messageSize
             var requestId = stream.ReadInt32();
             stream.ReadInt32(); // responseTo
-            stream.ReadInt32(); // opcode
+            var opcode = (Opcode)stream.ReadInt32();
+            EnsureOpcodeIsValid(opcode);
             stream.ReadInt32(); // reserved
             var fullCollectionName = stream.ReadCString(Encoding);
             var batchSize = stream.ReadInt32();
@@ -86,6 +86,15 @@ public void WriteMessage(GetMoreMessage message)
             stream.BackpatchSize(startPosition);
         }
 
+        // private methods
+        private void EnsureOpcodeIsValid(Opcode opcode)
+        {
+            if (opcode != Opcode.GetMore)
+            {
+                throw new FormatException("GetMore message opcode is not OP_GET_MORE.");
+            }
+        }
+
         // explicit interface implementations
         MongoDBMessage IMessageEncoder.ReadMessage()
         {

src/MongoDB.Driver.Core/Core/WireProtocol/Messages/Encoders/BinaryEncoders/InsertMessageBinaryEncoder.cs

@@ -60,7 +60,8 @@ public InsertMessage<TDocument> ReadMessage()
             var messageSize = stream.ReadInt32();
             var requestId = stream.ReadInt32();
             stream.ReadInt32(); // responseTo
-            stream.ReadInt32(); // opcode
+            var opcode = (Opcode)stream.ReadInt32();
+            EnsureOpcodeIsValid(opcode);
             var flags = (InsertFlags)stream.ReadInt32();
             var fullCollectionName = stream.ReadCString(Encoding);
             var documents = ReadDocuments(reader, messageStartPosition, messageSize);
@@ -113,6 +114,14 @@ private InsertFlags BuildInsertFlags(InsertMessage<TDocument> message)
             return flags;
         }
 
+        private void EnsureOpcodeIsValid(Opcode opcode)
+        {
+            if (opcode != Opcode.Insert)
+            {
+                throw new FormatException("Insert message opcode is not OP_INSERT.");
+            }
+        }
+
         private List<TDocument> ReadDocuments(BsonBinaryReader reader, long messageStartPosition, int messageSize)
         {
             var stream = reader.BsonStream;

src/MongoDB.Driver.Core/Core/WireProtocol/Messages/Encoders/BinaryEncoders/KillCursorsMessageBinaryEncoder.cs

@@ -15,7 +15,6 @@
 
 using System;
 using System.IO;
-using System.Text;
 using MongoDB.Bson.IO;
 using MongoDB.Driver.Core.Misc;
 
@@ -50,7 +49,8 @@ public KillCursorsMessage ReadMessage()
             stream.ReadInt32(); // messageSize
             var requestId = stream.ReadInt32();
             stream.ReadInt32(); // responseTo
-            stream.ReadInt32(); // opcode
+            var opcode = (Opcode)stream.ReadInt32();
+            EnsureOpcodeIsValid(opcode);
             stream.ReadInt32(); // reserved
             var count = stream.ReadInt32();
             var cursorIds = new long[count];
@@ -89,6 +89,15 @@ public void WriteMessage(KillCursorsMessage message)
             stream.BackpatchSize(startPosition);
         }
 
+        // private methods
+        private void EnsureOpcodeIsValid(Opcode opcode)
+        {
+            if (opcode != Opcode.KillCursors)
+            {
+                throw new FormatException("KillCursors message opcode is not OP_KILL_CURSORS.");
+            }
+        }
+
         // explicit interface implementations
         MongoDBMessage IMessageEncoder.ReadMessage()
         {

src/MongoDB.Driver.Core/Core/WireProtocol/Messages/Encoders/BinaryEncoders/QueryMessageBinaryEncoder.cs

@@ -89,7 +89,8 @@ internal QueryMessage ReadMessage<TDocument>(IBsonSerializer<TDocument> serializ
             var messageSize = stream.ReadInt32();
             var requestId = stream.ReadInt32();
             stream.ReadInt32(); // responseTo
-            stream.ReadInt32(); // opcode
+            var opcode = (Opcode)stream.ReadInt32();
+            EnsureOpcodeIsValid(opcode);
             var flags = (QueryFlags)stream.ReadInt32();
             var fullCollectionName = stream.ReadCString(Encoding);
             var skip = stream.ReadInt32();
@@ -153,6 +154,14 @@ public void WriteMessage(QueryMessage message)
         }
 
         // private methods
+        private void EnsureOpcodeIsValid(Opcode opcode)
+        {
+            if (opcode != Opcode.Query)
+            {
+                throw new FormatException("Query message opcode is not OP_QUERY.");
+            }
+        }
+
         private void WriteOptionalFields(BsonBinaryWriter binaryWriter, BsonDocument fields)
         {
             if (fields != null)

src/MongoDB.Driver.Core/Core/WireProtocol/Messages/Encoders/BinaryEncoders/ReplyMessageBinaryEncoder.cs

@@ -16,9 +16,6 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 using MongoDB.Bson;
 using MongoDB.Bson.IO;
 using MongoDB.Bson.Serialization;
@@ -62,7 +59,8 @@ public ReplyMessage<TDocument> ReadMessage()
             stream.ReadInt32(); // messageSize
             var requestId = stream.ReadInt32();
             var responseTo = stream.ReadInt32();
-            stream.ReadInt32(); // opcode
+            var opcode = (Opcode)stream.ReadInt32();
+            EnsureOpcodeIsValid(opcode);
             var flags = (ResponseFlags)stream.ReadInt32();
             var cursorId = stream.ReadInt64();
             var startingFrom = stream.ReadInt32();
@@ -158,6 +156,15 @@ public void WriteMessage(ReplyMessage<TDocument> message)
             stream.BackpatchSize(startPosition);
         }
 
+        // private methods
+        private void EnsureOpcodeIsValid(Opcode opcode)
+        {
+            if (opcode != Opcode.Reply)
+            {
+                throw new FormatException("Reply message opcode is not OP_REPLY.");
+            }
+        }
+
         // explicit interface implementations
         MongoDBMessage IMessageEncoder.ReadMessage()
         {

src/MongoDB.Driver.Core/Core/WireProtocol/Messages/Encoders/BinaryEncoders/UpdateMessageBinaryEncoder.cs

@@ -14,11 +14,7 @@
 */
 
 using System;
-using System.Collections.Generic;
 using System.IO;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 using MongoDB.Bson;
 using MongoDB.Bson.IO;
 using MongoDB.Bson.Serialization;
@@ -77,7 +73,8 @@ internal UpdateMessage ReadMessage<TDocument>(IBsonSerializer<TDocument> seriali
             stream.ReadInt32(); // messageSize
             var requestId = stream.ReadInt32();
             stream.ReadInt32(); // responseTo
-            stream.ReadInt32(); // opcode
+            var opcode = (Opcode)stream.ReadInt32();
+            EnsureOpcodeIsValid(opcode);
             stream.ReadInt32(); // reserved
             var fullCollectionName = stream.ReadCString(Encoding);
             var flags = (UpdateFlags)stream.ReadInt32();
@@ -122,6 +119,15 @@ public void WriteMessage(UpdateMessage message)
             stream.BackpatchSize(startPosition);
         }
 
+        // private methods
+        private void EnsureOpcodeIsValid(Opcode opcode)
+        {
+            if (opcode != Opcode.Update)
+            {
+                throw new FormatException("Update message opcode is not OP_UPDATE.");
+            }
+        }
+
         private void WriteQuery(BsonBinaryWriter binaryWriter, BsonDocument query)
         {
             var context = BsonSerializationContext.CreateRoot(binaryWriter);

tests/MongoDB.Driver.Core.Tests/Core/WireProtocol/Messages/Encoders/BinaryEncoders/DeleteMessageBinaryEncoderTests.cs

@@ -17,9 +17,6 @@
 using System.IO;
 using FluentAssertions;
 using MongoDB.Bson;
-using MongoDB.Bson.IO;
-using MongoDB.Driver.Core.WireProtocol.Messages;
-using MongoDB.Driver.Core.WireProtocol.Messages.Encoders.BinaryEncoders;
 using Xunit;
 
 namespace MongoDB.Driver.Core.WireProtocol.Messages.Encoders.BinaryEncoders
@@ -105,6 +102,21 @@ public void ReadMessage_should_read_a_message()
             }
         }
 
+        [Fact]
+        public void ReadMessage_should_throw_when_opcode_is_invalid()
+        {
+            var bytes = (byte[])__testMessageBytes.Clone();
+            bytes[12]++;
+
+            using (var stream = new MemoryStream(bytes))
+            {
+                var subject = new DeleteMessageBinaryEncoder(stream, __messageEncoderSettings);
+                var exception = Record.Exception(() => subject.ReadMessage());
+                exception.Should().BeOfType<FormatException>();
+                exception.Message.Should().Be("Delete message opcode is not OP_DELETE.");
+            }
+        }
+
         [Theory]
         [InlineData(0, true)]
         [InlineData(1, false)]

tests/MongoDB.Driver.Core.Tests/Core/WireProtocol/Messages/Encoders/BinaryEncoders/GetMoreMessageBinaryEncoderTests.cs

@@ -16,9 +16,6 @@
 using System;
 using System.IO;
 using FluentAssertions;
-using MongoDB.Bson.IO;
-using MongoDB.Driver.Core.WireProtocol.Messages;
-using MongoDB.Driver.Core.WireProtocol.Messages.Encoders.BinaryEncoders;
 using Xunit;
 
 namespace MongoDB.Driver.Core.WireProtocol.Messages.Encoders.BinaryEncoders
@@ -86,6 +83,21 @@ public void ReadMessage_should_read_a_message()
             }
         }
 
+        [Fact]
+        public void ReadMessage_should_throw_when_opcode_is_invalid()
+        {
+            var bytes = (byte[])__testMessageBytes.Clone();
+            bytes[12]++;
+
+            using (var stream = new MemoryStream(bytes))
+            {
+                var subject = new GetMoreMessageBinaryEncoder(stream, __messageEncoderSettings);
+                var exception = Record.Exception(() => subject.ReadMessage());
+                exception.Should().BeOfType<FormatException>();
+                exception.Message.Should().Be("GetMore message opcode is not OP_GET_MORE.");
+            }
+        }
+
         [Fact]
         public void WriteMessage_should_throw_if_message_is_null()
         {

tests/MongoDB.Driver.Core.Tests/Core/WireProtocol/Messages/Encoders/BinaryEncoders/InsertMessageBinaryEncoderTests.cs

@@ -18,12 +18,9 @@
 using System.IO;
 using FluentAssertions;
 using MongoDB.Bson;
-using MongoDB.Bson.IO;
 using MongoDB.Bson.Serialization;
 using MongoDB.Bson.Serialization.Serializers;
 using MongoDB.Driver.Core.Misc;
-using MongoDB.Driver.Core.WireProtocol.Messages;
-using MongoDB.Driver.Core.WireProtocol.Messages.Encoders.BinaryEncoders;
 using Xunit;
 
 namespace MongoDB.Driver.Core.WireProtocol.Messages.Encoders.BinaryEncoders
@@ -126,6 +123,21 @@ public void ReadMessage_should_read_a_message()
             }
         }
 
+        [Fact]
+        public void ReadMessage_should_throw_when_opcode_is_invalid()
+        {
+            var bytes = (byte[])__testMessageBytes.Clone();
+            bytes[12]++;
+
+            using (var stream = new MemoryStream(bytes))
+            {
+                var subject = new InsertMessageBinaryEncoder<BsonDocument>(stream, __messageEncoderSettings, __serializer);
+                var exception = Record.Exception(() => subject.ReadMessage());
+                exception.Should().BeOfType<FormatException>();
+                exception.Message.Should().Be("Insert message opcode is not OP_INSERT.");
+            }
+        }
+
         [Theory]
         [InlineData(0, false)]
         [InlineData(1, true)]