Info

createUser and updateUser accept malformed values in authenticationRestrictions.clientSource and persist them to system.users instead of rejecting them during validation. clientSource is expected to represent valid client address constraints. Server-side validation is incomplete or inconsistent. Arbitrary/non-address strings can be stored as if they were valid restrictions. This creates a silent misconfiguration risk in the authentication policy.

Top User Comments

Steps to Reproduce

Create a user. use admin db.runCommand({ createUser: "repro_user", pwd: "password123", roles: [{ role: "read", db: "admin" }] }) Run updateUser (or createUser) with authenticationRestrictions.clientSource containing at least one invalid/non-address token (for example, a placeholder-like string). db.runCommand({ updateUser: "repro_user", authenticationRestrictions: [ { clientSource: [ "10.0.0.1", "NOT_AN_IP_OR_CIDR", "127.0.0.1" ] } ] }) Query admin.system.users admin> db.system.users.findOne({ user: "repro_user", db: "admin" }) { _id: 'admin.repro_user', userId: UUID('xxxx'), user: 'repro_user', db: 'admin', credentials: { 'SCRAM-SHA-1': { iterationCount: 10000, salt: 'WJ96stk5PUxy18CQkYx7ig==', storedKey: 'cPvfXp5rQjkwwvLgmcV0ZLvHXdk=', serverKey: 'mqNbRjhT1acJWjh80C8dh9PIhgY=' }, 'SCRAM-SHA-256': { iterationCount: 15000, salt: 'q3VhUxUDNoLAnCK+s4qr981BUdMstYMrbZ5hgQ==', storedKey: 'VVWIZFnX9FOTtLJyHWJabJboO3b7moqel+lHOI9BchI=', serverKey: 'vw8prAIT0+j31nkUviQLU2dwJ+I9QQ5s+mGt10K9Gxw=' } }, roles: [ { role: 'read', db: 'admin' } ], authenticationRestrictions: [ { clientSource: [ '10.0.0.1', 'NOT_AN_IP_OR_CIDR', '127.0.0.1' ] } ] } The invalid token is persisted in authenticationRestrictions.clientSource and command returns success (ok: 1). Authentication to the user fails on attempt: Invalid IP address in CIDR string, full error: {'ok': 0.0, 'errmsg': 'Invalid IP address in CIDR string', 'code': 2, 'codeName': 'BadValue', '$clusterTime': {'clusterTime': Timestamp(1780413851, 1), 'signature': {'hash': b'\xxxxxyyyyyy', 'keyId': zzzzzyyyyyy}}, 'operationTime': Timestamp(1780413851, 1)} Expected behaviour: Command should fail validation (BadValue or equivalent) when any clientSource Entry is not a valid address constraint format, and no invalid restriction values should be persisted. Actual behaviour: Command succeeds. Invalid clientSource entry is stored in system.users.