通过REST API公开mongodb查询是否安全? [英] Is exposing mongodb query over REST API safe?

问题描述

我正在构建用于服务的REST API，以查询MongoDB数据库.最初，我采用了提供"/user/1"来搜索用户ID 1的标准方法，以此类推.随着我进一步深入该项目，其他开发人员开始询问我们是否可以添加布尔搜索功能，例如能够和"，非"和或".考虑到为此目的创建DSL所需的工作量，我想到了让REST API接受MongoDB查询JSON对象，就像这样(假设这是通过POST传递的):

I am building a REST API for a service to query a MongoDB database. Initially, I went the standard route of providing "/user/1" to search for user id 1, etc. As I got further into the project, other developers started asking if we can add boolean search capabilities, such as being able to do "and", "not" and "or". Thinking of the amount of work needed to create a DSL for this, I thought about just having the REST API accept a MongoDB query JSON object, like so (pretend this is passed via POST):

/query/{"$or": [{"user": "1", "user", "2"}]}

现在，在将该查询传递给MongoDB之前，我将执行以下操作:

Now, before I pass that query to MongoDB, I will do the following:

1. 验证JSON对象
2. 确保仅在query函数中使用字符串，而不在update，runcommand或aggregation中使用字符串
3. 验证查询中是否没有$where子句，

1. Validate the JSON object
2. Make sure the string is used only in the query function, not update, runcommand, or aggregation
3. Verify that there is no $where clause in the query, since that allows script execution

这样做足以防止注射吗?阅读MongoDB 常见问题解答，它会出现将JSON传递到查询操作中是无害的，因为您不能使用它运行任何javascript($ where除外).这是一种安全的方法吗?

Would doing this be enough to prevent injection? Reading the MongoDB FAQ, it appears that passing JSON into the query operation is harmless, since you cannot run any javascript with it (with the exception of $where). Is this a safe approach to take?

推荐答案

您已经注意到，由于JSON解析的性质，MongoDB不像可能的那样受到相同类型的脚本"注入攻击通过允许SQL通过它的API来完成.

As you already note, due to the nature of the JSON parsing means that MongoDB is not open to the same type of "scripting" injection attacks as can possibly be done with an API that allows SQL to pass through it.

针对您的观点 2..常识性方法是仅将某些操作作为端点.因此，例如query或update，基本上要求对客户端执行的操作进行身份验证.因此，您不会对API暴露潜在的危险操作.

For your point 2. The common sense approach is to have only certain operations as endpoints. So such as query or with update and basically require authentication on the operations performed by the client. So you would not expose potentially dangerous operations to the API.

还需要考虑一般的身份验证和角色.因此，您只允许API执行角色"中所允许的操作.这样可以为您提供更多保护，而不必一定要在代码中进行检查，或者至少只是从未经授权"的操作中捕获错误.

Also there is general authentication and roles to consider. So you would only allow the API to perform the actions that are allowed by it's presented "role". That protects you some more without necessarily needing to check this in your code, or at least then just trap the error from an "unauthorized" operation.

最后是 3 .作为在提供的查询中检查 $where 运算符是否存在的一种可能替代方法(尽管您所能获得的限制)每个版本都更好)，您实际上可以使用

Finally for 3. as a possible alternative to checking for the presence of the $where operator in a provided query ( though the limitations of what you can do get better with each version ), you can actually turn this off on the server using the --noscipting option.

因此，确实可以采取很多保护措施来帮助避免脚本注入"攻击，但是通常来讲，不存在相同的危险.

So there really are quite a few protective measures you can take that helps you avoid "script injection" attacks, but generally speaking the same sort of dangers do not exist.

这篇关于通过REST API公开mongodb查询是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！