I'm using MongoDB with NodeJS and am wondering if I need to sanitize data before inserting/updating database documents. Its hard to find definite answer and I'm wondering if there are any Node modules that do it nicely or I need to strip all occurences of $ in strings or simply no need to worry about this. I know that PHP has holes but I'm using Node/Mongo (native driver) combo but still not sure if I need to do any cleaning of user input.
我正在使用带有NodeJS的MongoDB,我想知道在插入/更新数据库文档之前是否需要清理数据。很难找到明确的答案,我想知道是否有任何Node模块可以很好地完成它,或者我需要删除所有出现在字符串中的$或者根本不需要担心这一点。我知道PHP有漏洞,但我使用的是Node / Mongo(本机驱动程序)组合,但仍不确定是否需要清理用户输入。
2 个解决方案
#1
4
If you store your data as String and you are not parsing it to execute Mongo command, then there is nothing much to worry about it.
如果您将数据存储为String并且您没有解析它以执行Mongo命令,那么没有什么可担心的。
Nice article on security
关于安全的好文章
http://cr.yp.to/qmail/guarantee.html
http://cr.yp.to/qmail/guarantee.html
The only problem occurs when you are retrieving the user input, and you parse that input to execute the Mongo command, here you will need to take care to sanitize the input, or else you will get attack.
当您检索用户输入时,唯一的问题是,并且您解析该输入以执行Mongo命令,在这里您需要注意清理输入,否则您将受到攻击。
There is a npm package to do that for you
有一个npm包为你做这件事
https://www.npmjs.com/package/mongo-sanitize
https://www.npmjs.com/package/mongo-sanitize
and nice article on this too
这篇文章也很好
https://thecodebarbarian.wordpress.com/2014/09/04/defending-against-query-selector-injection-attacks/
#2
3
Yes, you do. For more information check this out; https://www.npmjs.com/package/content-filter
是的你是。有关更多信息,请查看此信息; https://www.npmjs.com/package/content-filter
Also native escape() method might be used for to protect the database.
还可以使用本机escape()方法来保护数据库。
Run the code snippet below to see the results.
运行下面的代码段以查看结果。
let a = "{$gt:25}"
console.log(a)
console.log(escape(a))#1
4
If you store your data as String and you are not parsing it to execute Mongo command, then there is nothing much to worry about it.
如果您将数据存储为String并且您没有解析它以执行Mongo命令,那么没有什么可担心的。
Nice article on security
关于安全的好文章
http://cr.yp.to/qmail/guarantee.html
http://cr.yp.to/qmail/guarantee.html
The only problem occurs when you are retrieving the user input, and you parse that input to execute the Mongo command, here you will need to take care to sanitize the input, or else you will get attack.
当您检索用户输入时,唯一的问题是,并且您解析该输入以执行Mongo命令,在这里您需要注意清理输入,否则您将受到攻击。
There is a npm package to do that for you
有一个npm包为你做这件事
https://www.npmjs.com/package/mongo-sanitize
https://www.npmjs.com/package/mongo-sanitize
and nice article on this too
这篇文章也很好
https://thecodebarbarian.wordpress.com/2014/09/04/defending-against-query-selector-injection-attacks/
#2
3
Yes, you do. For more information check this out; https://www.npmjs.com/package/content-filter
是的你是。有关更多信息,请查看此信息; https://www.npmjs.com/package/content-filter
Also native escape() method might be used for to protect the database.
还可以使用本机escape()方法来保护数据库。
Run the code snippet below to see the results.
运行下面的代码段以查看结果。
let a = "{$gt:25}"
console.log(a)
console.log(escape(a))