Prevent inserting illegal ddocs via mango

apache / couchdb

Seamless multi-master syncing database with an intuitive HTTP/JSON API, designed for reliability

https://couchdb.apache.org/

Apache License 2.0

6.27k stars 1.03k forks source link

Prevent inserting illegal ddocs via mango #5330

Closed nickva closed 3 weeks ago

nickva commented 3 weeks ago

Mango indexes allow specifying a custom ddoc ID in the _index POST request. Previously it was possible to insert _design/ which is an illegal doc ID.

nickva commented 3 weeks ago

With the fix:

% http put $DB/db/_design%2f
HTTP/1.1 400 Bad Request

{
    "error": "illegal_docid",
    "reason": "Illegal document id `_design/`"
}

 % http post $DB/db/_index index:='{"fields":["_id"]}' ddoc:='"_design/"'
HTTP/1.1 400 Bad Request

{
    "error": "illegal_docid",
    "reason": "Illegal document id `_design/`"
}