如何通过控制台防止集合修改以进行其他安全的更新操作? [英] How to prevent collection modification via console for an otherwise secure update operation?

问题描述

我对 Meteor 相当陌生，只是想弄清楚流星的安全性.

I am fairly new to Meteor and am just trying to figure out meteor security.

我正在编写一个测验应用程序，允许登录用户保存他们的分数.我创建了一个包含用户 ID 和分数数组的集合.我公开推送新分数的方式是服务器端的一种方法:

I am writing a quiz app that allows a logged in user to save their scores. I have created a collection which consists of a user id and an array of scores. The way I expose a push of new score is a method on the server side:

Meteor.methods({ 
  'pushScore' : function(playerId, playerScore) {
    UserScores.upsert({ userId : playerId}, {$push : {scores : playerScore}});
  }
});

我在客户端单击按钮时调用该方法，如下所示:

I call the method on click of a button from the client like so:

if (Meteor.userId()){
  Meteor.call('pushScore', Meteor.userId(), Session.get("score"));
}

我有以下问题:

• 显然，用户可以在会话"中操纵分数值并欺骗系统.有什么替代的安全机制可以在进行测验时跟踪跑分?
• 另一个可能是一个更大的问题.如何防止用户只是向我的方法pushScore"发出控制台调用并再次通过添加来欺骗系统，比如说 100 分?
• 我在这里的设计方式是否存在固有缺陷?

这只是一个示例应用程序，但我可以很容易地想象一个可以模仿这一点的真实世界场景.在这种情况下，最佳做法是什么?

This is just a sample application, but I can easily imagine a real world scenario which could mimic this. What woudl be a best practice in such a scenario?

提前致谢.

干杯..

推荐答案

正如@Peppe 建议的那样，您应该以某种方式将逻辑移至服务器.Meteor 安全(以及一般的网络安全)的主要规则是

As @Peppe suggested, you should move the logic to the server somehow. The main rule for Meteor security (and web security in general) is

这样做的原因是你已经提到的:如果有客户端可以做的事情，那么没有办法阻止流氓用户从浏览器控制台做同样的事情，甚至无法编写自己的将利用泄漏的恶意客户端.

The reason for that is what you've already mentioned: if there is something a client can do, then there is no way to stop a rogue user to do the same thing from the browser console, or even to write his own malicious client that will exploit the leak.

就您而言，这意味着如果客户能够为分数加分，那么无论您采用何种安全措施，用户也可以这样做.您可以使这或多或少变得困难，但您的系统设计了无法完全关闭的泄漏.

In your case, that means that if client is able to add points to scores, then the user is able to do so as well, regardless on what security measures you employ. You can make this more or less difficult, but your system has a designed leak which cannot be completely closed.

因此，唯一万无一失的解决方案是让服务器决定何时分配点数.我假设在测验应用程序中，用户在选择问题的正确答案时会获得积分.因此，不要在客户端进行检查，而是创建一个服务器端方法，该方法将接收问题 ID、答案 ID，并在答案正确时增加用户分数.然后确保用户不能只使用与您的测验设计相对应的方式来调用所有可能的答案的方法 - 例如，如果选择了错误的答案，则给负分，或者允许在一段时间内只回答一次相同的问题.

Thus, the only bulletproof solution is to make the server decide on when to assign points. I assume that in a quiz app user gets points when he choose the right answer to a question. So instead of checking that on the client, create a server–side method that will receive the question ID, answer ID, and increase user scores if the answer is correct. Then make sure user cannot just call this method with all possible answer, with a way that corresponds to your quiz design – for example give negative points if wrong answer is chosen, or allow to answer the same question only once in a period of time.

最后，确保客户端不只是在它收到的数据中获得正确的答案 ID.

Finally, make sure the client doesn't just get the correct answer ID in the data it receives.

这篇关于如何通过控制台防止集合修改以进行其他安全的更新操作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！