Skip to content

Harden BsonBinaryReader.skipValue() size validation#1990

Open
rozza wants to merge 3 commits into
mongodb:mainfrom
rozza:JAVA-6220
Open

Harden BsonBinaryReader.skipValue() size validation#1990
rozza wants to merge 3 commits into
mongodb:mainfrom
rozza:JAVA-6220

Conversation

@rozza
Copy link
Copy Markdown
Member

@rozza rozza commented Jun 2, 2026

The skip path in doSkipValue() was more permissive than the canonical decode path, accepting malformed BSON sizes that full decoding rejects. This allowed RawBsonDocument metadata accessors (size(), containsKey(), get()) to accept attacker-controlled malformed data as valid fields.

Add type-specific validation helpers to doSkipValue():

  • readStringSize(): rejects size 0 (STRING, SYMBOL, JAVASCRIPT, DB_POINTER)
  • readContainerSize(min): rejects undersized containers (DOCUMENT, ARRAY, JAVASCRIPT_WITH_SCOPE) that would produce negative skips
  • readJavaScriptWithScopeSize(): validates nested code/scope sizes and total-size consistency
  • addTrailingBytes(): guards against int overflow for BINARY and DB_POINTER

BINARY size 0 remains valid (empty binary is spec-compliant).

JAVA-6220

@rozza
Harden BsonBinaryReader.skipValue() size validation
d9c0cbb 
The skip path in doSkipValue() was more permissive than the canonical
decode path, accepting malformed BSON sizes that full decoding rejects.
This allowed RawBsonDocument metadata accessors (size(), containsKey(),
get()) to accept attacker-controlled malformed data as valid fields.

Add type-specific validation helpers to doSkipValue():
- readStringSize(): rejects size 0 (STRING, SYMBOL, JAVASCRIPT, DB_POINTER)
- readContainerSize(min): rejects undersized containers (DOCUMENT, ARRAY,
  JAVASCRIPT_WITH_SCOPE) that would produce negative skips
- readJavaScriptWithScopeSize(): validates nested code/scope sizes and
  total-size consistency
- addTrailingBytes(): guards against int overflow for BINARY and DB_POINTER

BINARY size 0 remains valid (empty binary is spec-compliant).

JAVA-6220
@rozza rozza marked this pull request as ready for review June 2, 2026 11:17
@rozza rozza requested a review from a team as a code owner June 2, 2026 11:17
@rozza rozza requested review from Copilot and stIncMale June 2, 2026 11:17
@rozza rozza marked this pull request as draft June 2, 2026 11:19
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens BsonBinaryReader.skipValue() so its skip-path size handling more closely matches the canonical decode-path validation, preventing RawBsonDocument metadata accessors (size(), containsKey(), get()) from accepting certain malformed BSON payloads as valid (JAVA-6220).

Changes:

  • Add type-specific size validation helpers in BsonBinaryReader.doSkipValue() (strings, containers, JavaScript-with-scope, overflow-safe trailing bytes).
  • Add focused BsonBinaryReaderTest coverage for malformed sizes (zero-length strings/symbol/js/dbpointer, undersized containers, JS-with-scope consistency checks, overflow guards) and minimal-valid regressions.
  • Add RawBsonDocumentTest regression tests demonstrating that metadata accessors reject malformed zero-length string values when iteration requires skipValue().

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
bson/src/main/org/bson/BsonBinaryReader.java Tightens skip-path validation via helpers for string/container sizes, JS-with-scope consistency, and overflow-safe skip calculations.
bson/src/test/unit/org/bson/BsonBinaryReaderTest.java Adds comprehensive unit tests exercising newly hardened skipValue() validation paths plus minimal-valid regressions.
bson/src/test/unit/org/bson/RawBsonDocumentTest.java Adds regression tests ensuring RawBsonDocument metadata accessors reject malformed documents that require skipValue() iteration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread bson/src/main/org/bson/BsonBinaryReader.java Outdated
@rozza
Potential fix for pull request finding
ff3fff2 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@rozza rozza marked this pull request as ready for review June 2, 2026 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@stIncMale stIncMale Awaiting requested review from stIncMale stIncMale is a code owner automatically assigned from mongodb/dbx-java

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rozza