为什么不建议在MongoDB中使用服务器端存储的功能? [英] Why is it not recommended to use server-side stored functions in MongoDB?

查看：66 发布时间：2020/5/10 22:44:50 security mongodb stored-functions

本文介绍了为什么不建议在MongoDB中使用服务器端存储的功能?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

根据MongoDB

According to the MongoDB documentation, it isn't recommended to use server-side stored functions. What is the reason behind this warning?

尽管Google搜索结果中只有一些告诉您如何操作的人，但我肯定已经说了几次该列表:

I am sure I have stated the list a couple of times despite the Google search result being filled only with people telling you how to do it:

是eval
eval具有很容易被注入的天生能力，就像SQL的非PDO等效物一样，如果您不对它周围的全尺寸转义库感到厌烦.通过使用这些功能，您可以有效地替换出MongoDB的更安全的本地语言，而这与那里的任何旧SQL一样不安全.
它具有全局锁定，可以具有写锁定，并且在操作完全完成之前不会释放，这与在某些情况下会释放的其他操作不同.
eval仅适用于Primaries，而不适用于副本集的任何其他成员
MongoDB附带的捆绑在一起的V8/spidermonkey envo中基本上运行着未经检查的一吨JS，具有完全的能力来触摸数据库和管理命令的任何部分，听起来安全吗?
它不是MongoDB，也不是"MongoDBs SQL"，它在内置的JS环境中运行，而不是MongoDBs C ++代码本身(不同于聚合框架).
由于前一点，与许多其他选项相比，它非常慢，这也适用于$where.

It is eval
eval has natural abilities to be easily injected, it is like a non-PDO equilivant to SQL, if you don't buld a full scale escaping library around it it will mess you up. By using these functions you are effectively replacing the safer native language of MongoDB for something that is just as insecure as any old SQL out there.
It takes a global lock and can take write lock and will not release until the operation is completely done, unlike other operations which will release in certain cases.
eval only works on Primaries and never any other member of the replica set
It is basically running, unchecked, a tonne of JS in a bundled V8/spidermonkey envo that comes with MongoDB with full ability to touch any part of your database and admin commands, does that sound safe?
It is NOT MongoDB and nor is it "MongoDBs SQL", it runs within a built in JS environment, not MongoDBs C++ code itself (unlike the aggregation framework).
Due to the previous point it is EXTREMELY slow in comparison to many other options, this goes for $where usage as well.

这足以让您从这方面入手.

That should be enough to get you started on this front.

这篇关于为什么不建议在MongoDB中使用服务器端存储的功能?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！