MongoDB中的JavaScript NoSQL注入预防 [英] JavaScript NoSQL Injection prevention in MongoDB
问题描述
如何防止将JavaScript NoSQL注入MongoDB?
How can I prevent JavaScript NoSQL injections into MongoDB?
我正在开发Node.js应用程序,并且正在将作为json对象的req.body
传递到猫鼬模型的save函数中.我以为幕后有保障措施,但事实并非如此.
I am working on a Node.js application and I am passing req.body
, which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case.
推荐答案
注意 我的答案不正确.请参考其他答案.
Note My answer is incorrect. Please refer to other answers.
-
当客户端程序在MongoDB中组装查询时,它会构建一个BSON对象, 不是字符串.因此,传统的SQL注入攻击不是问题.
As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem.
For details follow the documentation
更新
避免使用像eval
这样的表达式,该表达式可以执行任意JS.如果要从用户处获取输入并像表达式一样运行eval
而不清除输入,则可能会搞砸.如JoBu1324所指出的,where
,mapReduce
和group
之类的操作允许直接执行JS表达式.
Avoid expression like eval
which can execute arbitrary JS. If you are taking input from user and running eval
like expressions without cleaning the input you can screw up. As pointed by JoBu1324, operations like where
, mapReduce
and group
permit to execute JS expressions directly.
这篇关于MongoDB中的JavaScript NoSQL注入预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!