node-mongodb-native icon indicating copy to clipboard operation
node-mongodb-native copied to clipboard

Published 20 hours ago verified publisher icon mongodb

feat(NODE-6289): allow valid srv hostnames with less than 3 parts

Open aditi-khare-mongoDB opened this issue 6 months ago • 2 comments

Description

Downstream changes for DRIVERS-2922 (PR).

What is changing?

  • Remove logic asserting that SRV URIs need 3 parts
  • When we check if a returned address matches its parent SRV, an SRV with <3 parts must assert that the returned address contains an additional domain level
  • Add in prose tests.
Is there new documentation needed for these changes?

No

What is the motivation for this change?

Do not throw an error on valid URI formats pre-DNS resolution, and require stricter domain matching post-DNS resolution.

Release Highlight

Allow SRV hostnames with less than three . separated parts

The client now accepts SRV hostname strings with one or two . separated parts.

For example, the following code no longer throws an error.

await new MongoClient('mongodb+srv://localhost').connect();

For security reasons, the returned addresses of SRV strings with less than three parts must end with the entire SRV hostname and contain at least one additional domain level. This is because this added validation ensures that the returned address(es) are from a known host. In future releases, we plan on extending this validation to SRV strings with three or more parts, as well.

// Example 1: Validation fails since the returned address doesn't end with the entire SRV hostname
'mongodb+srv://mySite.com' => 'myEvilSite.com' 

// Example 2: Validation fails since the returned address is identical to the SRV hostname
'mongodb+srv://mySite.com' => 'mySite.com' 

// Example 3: Validation passes since the returned address ends with the entire SRV hostname and contains an additional domain level
'mongodb+srv://mySite.com' => 'cluster_1.mySite.com'

Double check the following

  • [x] Ran npm run check:lint script
  • [x] Self-review completed using the steps outlined here
  • [x] PR title follows the correct format: type(NODE-xxxx)[!]: description
    • Example: feat(NODE-1234)!: rewriting everything in coffeescript
  • [x] Changes are covered by tests
  • [x] New TODOs have a related JIRA ticket

aditi-khare-mongoDB avatar Aug 15 '24 15:08 aditi-khare-mongoDB