Info
As per documentation at:
https://docs.mongodb.com/manual/core/server-side-javascript/#disable-server-side-execution-of-javascript
--noscripting option when passed to mongod, doesn't stop any '$where' executions.
Top User Comments
krishna.devale commented on Sat, 25 Mar 2017 11:08:34 +0000:
Hi Mark,
Thanks for your response.
The issue is on my side.
I had an alias for mongod as 'mongod --dbpath '
On the alias when I use mongod --noscripting, mongod was not recognizing the option.
Even config file is very particular about indentation.
I am able to get the --noscripting feature to work now.
Thanks,
Krishna
mark.agarunov commented on Fri, 24 Mar 2017 18:35:48 +0000:
Hello krishna.devale,
Thank you for the report. Unfortunately, we have not been able to reproduce this. With --noscripting passed to mongod I'm seeing:
Marks-MacBook-Pro(mongod-3.5.4) test> db.test.find( {$where:function(){print("TEST"); return true;}} );
Error: error: {
"ok": 0,
"errmsg": "no globalScriptEngine in $where parsing",
"code": 2,
"codeName": "BadValue",
"operationTime": Timestamp(0, 0)
}
And no output in the server logs.
Without --noscripting TEST is printed in the server logs.
Thanks,
Mark
Steps to Reproduce
1. Run 'mongod --noscripting'
2. Run mongo client 'mongo'
3. Run command in mongo client:
db..find(
{"$where":print("HI")}
);
4. Console logs of mongod prints out "HI" per document in collection