Sanitizing inputs to MongoDB

一笑奈何 提交于 2020-01-23 08:27:41

问题


I'm writing a REST interface to a MongoDB database program, and I'm trying to implement search functionality. I'd like to expose the entire MongoDB interface. I have two questions, really, but they're related so I'm putting them in one post:

  1. Is it safe to decode untrusted JSON with the Python json module, or is it like the pickle module in that it could allow arbitrary code execution?
  2. Is it safe to pass that decoded JSON to the PyMongo find() function?

回答1:


Python's JSON module should be safe to use with untrusted input, at least in its default configuration (i.e. you haven't supplied any of the custom decoders, which could potentially have exploits within them).

However, we cannot say with certainty that the results of json.loads() are safe to pass to pymongo's find() method. While the find() method will not modify (update or remove) data in mongodb, it is possible to craft intentionally very poorly performing queries, like the following which uses a specially-crafted $where clause to create very poor performance characteristics:

{"$where": "function() { for (var i=0; i<1000000; i++) {}; return true; }"}

Note that this is both valid JSON, and a valid mongodb query against.

For this reason, I wouldn't permit user-crafted JSON to be used directly as a query against mongodb, unless your users are all trusted (i.e. clients that you control directly, such as other servers/components within an application).



来源:https://stackoverflow.com/questions/7278238/sanitizing-inputs-to-mongodb

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!