问题
is there a common pattern in Java to avoid mongoDB injection attacks?
Thanks
回答1:
Use one of the supported drivers. Don't deserialize strings as JSON and pass them as queries, e.g. dont' do this (in Ruby):
collection.send(query_type, JSON.parse(parameters))
where query_type and parameters are strings coming from a form. You would have to be criminally stupid to do this though.
Since there's no query language as such there's not the same room for injection. Part of the reason that SQL injection attacks are possible is that the action to take (SELECT, UPDATE, DELETE, etc.) is part of the query string. MongoDB, and many other newer databases, don't work like that, instead the action is a part of the API. Where SQL drivers only have query and in some cases exec, MongoDB has find, update, insert and remove.
回答2:
You can build MongoDB querys with Javascript in the where clause and here injection can happen. Here explanation how to prevent this: https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection
回答3:
Most of the drivers are setup where you construct queries as the languages representation of BSON documents. What languages do you intend to use mongo in?
回答4:
yes there is, by using regex search. Ex: lets say you do check by username and you are not using EQ op. If i pass [a-z] for example i will bypass your login action :).
But anyway, it very much depends on the logic of how things are implemented in the solution.
来源:https://stackoverflow.com/questions/4167077/mongodb-injection