SERVER-50761 Crash the shell on invalid BSON errors on server responses from outgoing connections in

all of the jstestfuzz test suites.

Combine a new shell parameter --crashOnInvalidBSONError with --objcheck in the shell for all
jstestfuzz test suites. --objcheck in the shell turns on BSON validation on responses from outgoing
connections to the server. --crashOnInvalidBSONError crashes the shell if that extra BSON validation
encounters an error, and attempts to log the invalid BSON for debugging.

6 files changed, 81 insertions, 6 deletions

diff --git a/src/mongo/db/server_options.h b/src/mongo/db/server_options.h
index c8aa3037866..14a4416f0a8 100644
--- a/src/mongo/db/server_options.h
+++ b/src/mongo/db/server_options.h
@@ -72,6 +72,10 @@ struct ServerGlobalParams {
 
     bool objcheck = true;  // --objcheck
 
+    // Shell parameter, used for testing only, to tell the shell to crash on InvalidBSON errors.
+    // Can be paired with --objcheck so that extra BSON validation occurs.
+    bool crashOnInvalidBSONError = false;  // --crashOnInvalidBSONError
+
     int defaultProfile = 0;  // --profile
     boost::optional<BSONObj> defaultProfileFilter;
     int slowMS = 100;                      // --time in ms that is "slow"
diff --git a/src/mongo/db/server_options_general.idl b/src/mongo/db/server_options_general.idl
index 1d595700996..53e303f3aa9 100644
--- a/src/mongo/db/server_options_general.idl
+++ b/src/mongo/db/server_options_general.idl
@@ -164,6 +164,11 @@ configs:
         arg_vartype: Bool
         source: yaml
         hidden: true
+    crashOnInvalidBSONError:
+        description: "Crashes the shell if invalid BSON is returned from a call to the server. Must be paired with objcheck to provoke a BSON validation check."
+        arg_vartype: Switch
+        source: [ cli, ini ]
+        hidden: true
     enableExperimentalStorageDetailsCmd:
         description: 'EXPERIMENTAL (UNSUPPORTED). Enable command computing aggregate statistics on storage.'
         arg_vartype: Switch
diff --git a/src/mongo/rpc/object_check.h b/src/mongo/rpc/object_check.h
index 26bc175539e..ac9ddb899d8 100644
--- a/src/mongo/rpc/object_check.h
+++ b/src/mongo/rpc/object_check.h
@@ -29,10 +29,14 @@
 
 #pragma once
 
+#include <algorithm>
+
 #include "mongo/base/data_type_validated.h"
 #include "mongo/bson/bson_validate.h"
 #include "mongo/bson/bsontypes.h"
 #include "mongo/db/server_options.h"
+#include "mongo/logv2/redaction.h"
+#include "mongo/util/hex.h"
 
 // We do not use the rpc namespace here so we can specialize Validator.
 namespace mongo {
@@ -47,7 +51,24 @@ template <>
 struct Validator<BSONObj> {
 
     inline static Status validateLoad(const char* ptr, size_t length) {
-        return serverGlobalParams.objcheck ? validateBSON(ptr, length) : Status::OK();
+        if (!serverGlobalParams.objcheck) {
+            return Status::OK();
+        }
+
+        auto status = validateBSON(ptr, length);
+        if (serverGlobalParams.crashOnInvalidBSONError && !status.isOK()) {
+            std::string msg = "Invalid BSON was received: " + status.toString() +
+                // Using std::min with length so we do not max anything out in case the corruption
+                // is in the size of the object. The hex dump will be longer if needed.
+                ", beginning 5000 characters: " + std::string(ptr, std::min(length, (size_t)5000)) +
+                ", length: " + std::to_string(length) +
+                // Using std::min with hex dump length, too, to ensure we do not throw in hexdump()
+                // because of exceeded length and miss out on the core dump of the fassert below.
+                ", hex dump: " + hexdump(ptr, std::min(length, (size_t)(1000000 - 1)));
+            Status builtStatus(ErrorCodes::InvalidBSON, redact(msg));
+            fassertFailedWithStatus(50761, builtStatus);
+        }
+        return status;
     }
 
     static Status validateStore(const BSONObj& toStore);
diff --git a/src/mongo/rpc/object_check_test.cpp b/src/mongo/rpc/object_check_test.cpp
index 52010604f53..7ecb0d0ed93 100644
--- a/src/mongo/rpc/object_check_test.cpp
+++ b/src/mongo/rpc/object_check_test.cpp
@@ -35,23 +35,22 @@
 #include "mongo/db/jsobj.h"
 #include "mongo/db/server_options.h"
 #include "mongo/rpc/object_check.h"
+#include "mongo/unittest/death_test.h"
 #include "mongo/unittest/unittest.h"
 #include "mongo/util/scopeguard.h"
 
 namespace {
 
 using namespace mongo;
+using std::begin;
+using std::end;
+using std::swap;
 
 TEST(DataTypeValidated, BSONValidationEnabled) {
-    using std::swap;
-
     bool wasEnabled = serverGlobalParams.objcheck;
     const auto setValidation = [&](bool enabled) { serverGlobalParams.objcheck = enabled; };
     ON_BLOCK_EXIT([=] { setValidation(wasEnabled); });
 
-    using std::begin;
-    using std::end;
-
     BSONObj valid = BSON("baz"
                          << "bar"
                          << "garply"
@@ -88,4 +87,39 @@ TEST(DataTypeValidated, BSONValidationEnabled) {
         ASSERT_OK(cdrc.readAndAdvanceNoThrow(&v));
     }
 }
+
+DEATH_TEST(ObjectCheck, BSONValidationEnabledWithCrashOnError, "50761") {
+    bool objcheckValue = serverGlobalParams.objcheck;
+    serverGlobalParams.objcheck = true;
+    ON_BLOCK_EXIT([=] { serverGlobalParams.objcheck = objcheckValue; });
+
+    bool crashOnErrorValue = serverGlobalParams.crashOnInvalidBSONError;
+    serverGlobalParams.crashOnInvalidBSONError = true;
+    ON_BLOCK_EXIT([&] { serverGlobalParams.crashOnInvalidBSONError = crashOnErrorValue; });
+
+    BSONObj valid = BSON("baz"
+                         << "bar"
+                         << "garply"
+                         << BSON("foo"
+                                 << "bar"));
+    char buf[1024] = {0};
+    std::copy(valid.objdata(), valid.objdata() + valid.objsize(), begin(buf));
+
+    {
+        // mess up the data
+        DataRangeCursor drc(begin(buf), end(buf));
+        // skip past size so we don't trip any sanity checks.
+        drc.advanceNoThrow(4).transitional_ignore();  // skip size
+        while (drc.writeAndAdvanceNoThrow(0xFF).isOK())
+            ;
+    }
+
+    {
+        Validated<BSONObj> v;
+        ConstDataRangeCursor cdrc(begin(buf), end(buf));
+        // Crashes because of invalid BSON
+        cdrc.readAndAdvanceNoThrow(&v).ignore();
+    }
+}
+
 }  // namespace
diff --git a/src/mongo/shell/shell_options.cpp b/src/mongo/shell/shell_options.cpp
index 6f3e6991930..60d6cae2e24 100644
--- a/src/mongo/shell/shell_options.cpp
+++ b/src/mongo/shell/shell_options.cpp
@@ -131,6 +131,12 @@ Status storeMongoShellOptions(const moe::Environment& params,
         serverGlobalParams.objcheck = false;
     }
 
+    // Similar to 'objcheck' above, 'crashOnInvalidBSONError' must be common to both the server
+    // and shell for linking reasons.
+    if (params.count("crashOnInvalidBSONError")) {
+        serverGlobalParams.crashOnInvalidBSONError = true;
+    }
+
     if (params.count("port")) {
         shellGlobalParams.port = params["port"].as<string>();
     }
diff --git a/src/mongo/shell/shell_options.idl b/src/mongo/shell/shell_options.idl
index fe7c9d9121b..dad2a314976 100644
--- a/src/mongo/shell/shell_options.idl
+++ b/src/mongo/shell/shell_options.idl
@@ -102,6 +102,11 @@ configs:
     source: [ cli, ini ]
     conflicts: "objcheck"
     hidden: true
+  "crashOnInvalidBSONError":
+    description: "Crashes the shell if invalid BSON is returned from a call to the server. Must be paired with objcheck to provoke a BSON validation check."
+    arg_vartype: Switch
+    source: [ cli, ini ]
+    hidden: true
 
   "disableJavaScriptJIT":
     description: "disable the Javascript Just In Time compiler"