从URL查询字符串直接提供的mongo查询有多危险？ [英] How dangerous is a mongo query which is fed directly from a URL query string?

问题描述

我正在玩 node.js ， express 和 mongoose 。

为了现在开始运行，我将Express查询字符串对象直接传递给一个mongoose find函数。我好奇的是，这种做法在现场应用程序中有多危险。我知道RDBMS将非常容易受到SQL注入的攻击。除了清理你的输入的好建议外，这段代码是多么的恶毒：

  get（'/ query'，function（req，res）{
 models.findDocs（req.query，function（err，docs）{
 res.send（docs）; 
}） ; 
}）; 
  

意思是要求 http：// localhost：8080 / query ？name = ahsteele& status = a 只需将以下内容推入findDocs函数：

  {
 name：'ahsteele'，
 status：'a'
} 
  

这个感觉很奇怪，但是有多不安全？将查询参数传递给mongodb的最佳做法是什么？表达提供任何开箱即用的消毒？

解决方案

只要注入是问题，就像SQL一样，风险显着尽管理论上可以通过未知的攻击向量来降低...虽然在数据结构和协议是二进制和API驱动的，而不是利用域特定语言中的转义值来实现数据结构和协议。基本上，你不能只是在解析器最后添加一个; db.dropCollection（）。

如果它只用于查询，那可能很好...但是我仍然会小心使用一些验证：

• 确保只有字母数字字符（过滤或使null


• 强制执行整个查询的最大长度（如255个字符）


• 强制执行整个查询的最大长度


• 以$开头的特殊参数名称，如$ where&这样


• 不允许嵌套数组/文档/散列...只有字符串& ints

另外，请记住，一个空的查询返回所有内容。您可能希望对该返回值有限制。 ：）

I am playing around with node.js, express, and mongoose.

For the sake of getting something up and running right now I am passing the Express query string object directly to a mongoose find function. What I am curious about is how dangerous would this practice be in a live app. I know that a RDBMS would be extremely vulnerable to SQL injection. Aside from the good advice of "sanitize your inputs" how evil is this code:

app.get('/query', function (req, res) {
    models.findDocs(req.query, function (err, docs) {
            res.send(docs);
        });
});

Meaning that a a get request to http://localhost:8080/query?name=ahsteele&status=a would just shove the following into the findDocs function:

{
  name: 'ahsteele',
  status: 'a'
}

This feels icky for a lot of reasons, but how unsafe is it? What's the best practice for passing query parameters to mongodb? Does express provide any out of the box sanitization?

解决方案

As far as injection being problem, like with SQL, the risk is significantly lower... albeit theoretically possible via an unknown attack vector.

The data structures and protocol are binary and API driven rather than leveraging escaped values within a domain-specific-language. Basically, you can't just trick the parser into adding a ";db.dropCollection()" at the end.

If it's only used for queries, it's probably fine... but I'd still caution you to use a tiny bit of validation:

• Ensure only alphanumeric characters (filter or invalidate nulls and anything else you wouldn't normally accept)
• Enforce a max length (like 255 characters) per term
• Enforce a max length of the entire query
• Strip special parameter names starting with "$", like "$where" & such
• Don't allow nested arrays/documents/hashes... only strings & ints

Also, keep in mind, an empty query returns everything. You might want a limit on that return value. :)

这篇关于从URL查询字符串直接提供的mongo查询有多危险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！