...
BugZero found this defect 2777 days ago.
As per documentation at: https://docs.mongodb.com/manual/core/server-side-javascript/#disable-server-side-execution-of-javascript --noscripting option when passed to mongod, doesn't stop any '$where' executions.
krishna.devale commented on Sat, 25 Mar 2017 11:08:34 +0000: Hi Mark, Thanks for your response. The issue is on my side. I had an alias for mongod as 'mongod --dbpath ' On the alias when I use mongod --noscripting, mongod was not recognizing the option. Even config file is very particular about indentation. I am able to get the --noscripting feature to work now. Thanks, Krishna mark.agarunov commented on Fri, 24 Mar 2017 18:35:48 +0000: Hello krishna.devale, Thank you for the report. Unfortunately, we have not been able to reproduce this. With --noscripting passed to mongod I'm seeing: Marks-MacBook-Pro(mongod-3.5.4) test> db.test.find( {$where:function(){print("TEST"); return true;}} ); Error: error: { "ok": 0, "errmsg": "no globalScriptEngine in $where parsing", "code": 2, "codeName": "BadValue", "operationTime": Timestamp(0, 0) } And no output in the server logs. Without --noscripting TEST is printed in the server logs. Thanks, Mark
1. Run 'mongod --noscripting' 2. Run mongo client 'mongo' 3. Run command in mongo client: db..find( {"$where":print("HI")} ); 4. Console logs of mongod prints out "HI" per document in collection