发表新帖
发表新帖

How dangerous is a mongo query which is fed directly from a URL query string?

后端 未结
关注
3 1798
野趣味
野趣味 2020-12-29 07:00

I am playing around with node.js, express, and mongoose.

For the sake of getting something up and running right now I am passing the Express query string object dire

相关标签:
3条回答
  • 庸人自扰
    2020-12-29 07:21

    Operator injection is a serious problem here and I would recommend you at least encode/escape certain characters, more specifically the $ symbol: http://docs.mongodb.org/manual/faq/developers/#dollar-sign-operator-escaping

    If the user is allowed to append a $ symbol to the beginning of strings or elements within your $_GET or $_POST or whatever they will quickly use that to: http://xkcd.com/327/ and you will be a gonner, to say the least.

    0 讨论(0)
  • 傲寒
    2020-12-29 07:32

    As far as injection being problem, like with SQL, the risk is significantly lower... albeit theoretically possible via an unknown attack vector.

    The data structures and protocol are binary and API driven rather than leveraging escaped values within a domain-specific-language. Basically, you can't just trick the parser into adding a ";db.dropCollection()" at the end.

    If it's only used for queries, it's probably fine... but I'd still caution you to use a tiny bit of validation:

    • Ensure only alphanumeric characters (filter or invalidate nulls and anything else you wouldn't normally accept)
    • Enforce a max length (like 255 characters) per term
    • Enforce a max length of the entire query
    • Strip special parameter names starting with "$", like "$where" & such
    • Don't allow nested arrays/documents/hashes... only strings & ints

    Also, keep in mind, an empty query returns everything. You might want a limit on that return value. :)

    0 讨论(0)
  • [愿得一人]
    2020-12-29 07:35

    As far as i know Express doesnt provide any out of box control for sanitization. Either you can write your own Middleware our do some basic checks in your own logic.And as you said the case you mention is a bit risky.

    But for ease of use the required types built into Mongoose models at least give you the default sanitizations and some control over what gets into or not.

    E.g something like this

    var Person = new Schema({
  title   : { type: String, required: true }
, age     : { type: Number, min: 5, max: 20 }
, meta    : {
      likes : [String]
    , birth : { type: Date, default: Date.now }
  }

    });

    Check this for more info also.

    http://mongoosejs.com/docs/2.7.x/docs/model-definition.html

    0 讨论(0)
 看不清?
提交回复
热议问题