Reputation: 705
Javascript to Mongo query passthru. Secure? Bad practice?
I have a Mongo database. I want to create a scripted HTML browser for that data - basically a table of data with a search filter, and sort by column capabilities. I want to build the native Mongo query client side, and just have the server side pretty much straight up execute those (arbitrary) queries. Is that done? Is that bad practice? I will still implement limits and authentication of course.
Upvotes: 0
Views: 70
Answers (1)
Reputation: 60875
The problems you could come across when doing this are:
- The user could create long running queries that abuse your database server resouces
- The user could bollocks up your datas (and more importantly, the data of other users)
- The user could access data they shouldn't have
If you can concoct ways to mitigate all these problems, then you can safely do what you want to do. I'm doing something very similar myself except that
A. I'm only allowing arbitrary search queries (no arbitrary updates, those are much more structured)
B. I'm wrapping queries with extra structure so that users can only see data they have access to
C. I'm keeping track of how long a query takes, and killing it if it takes too long (with the potential of doing more sophisticated user resource limiting in the system)
Upvotes: 1
Related Questions
- Is exposing mongodb query over REST API safe?
- How dangerous is a mongo query which is fed directly from a URL query string?
- Is in mongodb something like prepared statements in php for security?
- Security when storing user provided javascript code from web page forms into db
- Security when passing req.body directly to mongo db
- MongoDB Security issue
- Will this create any security exploit?
- mongodb injection possibility
- Do we need to strain or filter user queries in Mongoose for security purposes?
- MongoDB security, what am I missing?