SERVER-26703 reject commands exceeding the BSON depth limit

Any command sent to the server that exceeds the depth limit will fail. This also prevents users from
inserting documents that exceed the depth limit.

4 files changed, 115 insertions, 0 deletions

diff --git a/src/mongo/bson/SConscript b/src/mongo/bson/SConscript
index a32f7795da2..639b32680fd 100644
--- a/src/mongo/bson/SConscript
+++ b/src/mongo/bson/SConscript
@@ -73,3 +73,12 @@ env.CppUnitTest(
         '$BUILD_DIR/mongo/base',
     ],
 )
+
+env.Library(
+    target='bson_depth',
+    source=[
+        'bson_depth.cpp',
+    ],
+    LIBDEPS=[
+    ],
+)
diff --git a/src/mongo/bson/bson_depth.cpp b/src/mongo/bson/bson_depth.cpp
new file mode 100644
index 00000000000..153d53d85ef
--- /dev/null
+++ b/src/mongo/bson/bson_depth.cpp
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2017 MongoDB Inc.
+ *
+ * This program is free software: you can redistribute it and/or  modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the GNU Affero General Public License in all respects
+ * for all of the code used other than as permitted herein. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you do not
+ * wish to do so, delete this exception statement from your version. If you
+ * delete this exception statement from all source files in the program,
+ * then also delete it in the license file.
+ */
+
+#include "mongo/platform/basic.h"
+
+#include "mongo/bson/bson_depth.h"
+
+namespace mongo {
+constexpr std::int32_t BSONDepth::kDefaultMaxAllowableDepth;
+constexpr std::int32_t BSONDepth::kBSONDepthParameterFloor;
+constexpr std::int32_t BSONDepth::kBSONDepthParameterCeiling;
+
+std::int32_t BSONDepth::maxAllowableDepth = BSONDepth::kDefaultMaxAllowableDepth;
+
+std::uint32_t BSONDepth::getMaxAllowableDepth() {
+    return static_cast<std::uint32_t>(BSONDepth::maxAllowableDepth);
+}
+}  // namespace mongo
diff --git a/src/mongo/bson/bson_depth.h b/src/mongo/bson/bson_depth.h
new file mode 100644
index 00000000000..ef8ffc3631d
--- /dev/null
+++ b/src/mongo/bson/bson_depth.h
@@ -0,0 +1,56 @@
+/**
+ * Copyright (C) 2017 MongoDB Inc.
+ *
+ * This program is free software: you can redistribute it and/or  modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the GNU Affero General Public License in all respects
+ * for all of the code used other than as permitted herein. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you do not
+ * wish to do so, delete this exception statement from your version. If you
+ * delete this exception statement from all source files in the program,
+ * then also delete it in the license file.
+ */
+
+#pragma once
+
+#include <cstdint>
+
+namespace mongo {
+/**
+ * Controls the maximum BSON depth tolerated by the server.
+ */
+struct BSONDepth {
+    // The default BSON depth nesting limit.
+    static constexpr std::int32_t kDefaultMaxAllowableDepth = 200;
+
+    // The minimum allowable value for the BSON depth parameter.
+    static constexpr std::int32_t kBSONDepthParameterFloor = 5;
+
+    // The maximum allowable value for the BSON depth parameter.
+    static constexpr std::int32_t kBSONDepthParameterCeiling = 1000;
+
+    // The depth of BSON accepted by the server. Configurable via the 'maxBSONDepth' server
+    // parameter.
+    static std::int32_t maxAllowableDepth;
+
+    /**
+     * Returns the maximum allowable BSON depth as an unsigned integer.
+     */
+    static std::uint32_t getMaxAllowableDepth();
+};
+}  // namespace mongo
diff --git a/src/mongo/bson/bson_validate.cpp b/src/mongo/bson/bson_validate.cpp
index 8a11597a45e..c2d97a6496e 100644
--- a/src/mongo/bson/bson_validate.cpp
+++ b/src/mongo/bson/bson_validate.cpp
@@ -32,6 +32,7 @@
 #include <vector>
 
 #include "mongo/base/data_view.h"
+#include "mongo/bson/bson_depth.h"
 #include "mongo/bson/bson_validate.h"
 #include "mongo/bson/oid.h"
 #include "mongo/db/jsobj.h"
@@ -327,6 +328,12 @@ Status validateBSONIterative(Buffer* buffer) {
     while (state != ValidationState::Done) {
         switch (state) {
             case ValidationState::BeginObj:
+                if (frames.size() > BSONDepth::getMaxAllowableDepth()) {
+                    return {ErrorCodes::Overflow,
+                            str::stream() << "BSONObj exceeded maximum nested object depth: "
+                                          << BSONDepth::getMaxAllowableDepth()};
+                }
+
                 frames.push_back(ValidationObjectFrame());
                 curr = &frames.back();
                 curr->setStartPosition(buffer->position());