清理对MongoDB的输入 [英] Sanitizing inputs to MongoDB

问题描述

我正在为MongoDB数据库程序编写REST接口，并且试图实现搜索功能.我想展示整个MongoDB接口.我确实有两个问题，但是它们是相关的，因此我将它们放在一篇文章中:

I'm writing a REST interface to a MongoDB database program, and I'm trying to implement search functionality. I'd like to expose the entire MongoDB interface. I have two questions, really, but they're related so I'm putting them in one post:

1. 使用Python json模块解码不受信任的JSON是否安全，还是像pickle模块那样可以允许任意代码执行?
2. 将解码后的JSON传递给PyMongo find()函数是否安全?

推荐答案

Python的JSON模块至少在默认配置下应该可以安全地用于不受信任的输入(即，您未提供任何自定义解码器，里面可能有漏洞利用.)

Python's JSON module should be safe to use with untrusted input, at least in its default configuration (i.e. you haven't supplied any of the custom decoders, which could potentially have exploits within them).

但是，我们不能肯定地说json.loads()的结果可以安全地传递给pymongo的find()方法.虽然find()方法不会修改(更新或删除)mongodb中的数据，但是可以故意处理性能非常差的查询，例如以下使用特制的$where子句创建非常差的性能特征的代码: /p>

However, we cannot say with certainty that the results of json.loads() are safe to pass to pymongo's find() method. While the find() method will not modify (update or remove) data in mongodb, it is possible to craft intentionally very poorly performing queries, like the following which uses a specially-crafted $where clause to create very poor performance characteristics:

{"$where": "function() { for (var i=0; i<1000000; i++) {}; return true; }"}

请注意，这既是有效的JSON，也是有效的mongodb查询.

Note that this is both valid JSON, and a valid mongodb query against.

由于这个原因，除非您的用户都受到信任(即您直接控制的客户端，例如应用程序中的其他服务器/组件)，否则我不允许将用户编写的JSON直接用作对mongodb的查询.

For this reason, I wouldn't permit user-crafted JSON to be used directly as a query against mongodb, unless your users are all trusted (i.e. clients that you control directly, such as other servers/components within an application).

这篇关于清理对MongoDB的输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！