MongoDB 中的 JavaScript NoSQL 注入预防 [英] JavaScript NoSQL Injection prevention in MongoDB

问题描述

如何防止 JavaScript NoSQL 注入 MongoDB?

How can I prevent JavaScript NoSQL injections into MongoDB?

我正在开发一个 Node.js 应用程序，我正在将 req.body(一个 json 对象)传递到 mongoose 模型的保存函数中.我以为幕后有保护措施，但事实并非如此.

I am working on a Node.js application and I am passing req.body, which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case.

推荐答案

注意我的答案是不正确的.请参考其他答案.

Note My answer is incorrect. Please refer to other answers.

--

当客户端程序在 MongoDB 中组装查询时，它会构建一个 BSON 对象，不是字符串.因此传统的 SQL 注入攻击不是问题.

As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem.

详情请参考 文档

更新

避免像 eval 这样可以执行任意 JS 的表达式.如果您从用户那里获取输入并运行 eval 之类的表达式而不清理输入，您可能会搞砸.正如 JoBu1324 所指出的，where、mapReduce 和 group 等操作允许直接执行 JS 表达式.

Avoid expression like eval which can execute arbitrary JS. If you are taking input from user and running eval like expressions without cleaning the input you can screw up. As pointed by JoBu1324, operations like where, mapReduce and group permit to execute JS expressions directly.

这篇关于MongoDB 中的 JavaScript NoSQL 注入预防的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！