meteor 文档 http://docs.meteor.com/#dataandsecurity在“输入验证”下说:
Meteor allows your methods and publish functions to take arguments of any JSON type. (In fact, Meteor's wire protocol supports EJSON, an extension of JSON which also supports other common types like dates and binary buffers.) JavaScript's dynamic typing means you don't need to declare precise types of every variable in your app, but it's usually helpful to ensure that the arguments that clients are passing to your methods and publish functions are of the type that you expect.
Meteor provides a lightweight library for checking that arguments and other values are the type you expect them to be. Simply start your functions with statements like check(username, String) or check(office, {building: String, room: Number}). The check call will throw an error if its argument is of an unexpected type.
Meteor also provides an easy way to make sure that all of your methods and publish functions validate all of their arguments. Just run meteor add audit-argument-checks and any method or publish function which skips checking any of its arguments will fail with an exception.
mongo 注入(inject)问题在安全讲座中有更详细的解释:https://www.meteor.com/blog/2013/08/02/meteor-devshop-6-devshop-live-security-meteor-ui
所以我的问题是:
- 必须在调用 Mongo 之前执行
检查,否则可能会冒着将不受信任的 JS 对象发送到数据库的风险,从而可能导致 Mongo 注入(inject)漏洞? - 是的,应该在他的应用中添加audit-argument-checks以防止这种情况 - 这必须在所有 mongo 操作上完成,而不仅仅是在
find上吗? - 不确定 - 如果 1) 或 2) 为真,那么这如何转化为使用 ACL 样式的数据库访问规则 (
collection.allow/collection.deny)对 mongo api 的调用不会被手动check调用过滤,而是留给客户端? - 您可以将check添加到允许/拒绝函数中,但这取决于 2) 是否以及何时需要这样做
最佳答案
- 是的。如果您盲目相信客户端传递给方法调用的值,就会发生各种不好的事情。
- 这涉及到理论,可能很少有人能给你一个直接的答案,所以为什么要冒险呢?我强烈建议添加 audit-argument-checks为了安全起见,你所有的项目。
- 关于
allow和deny,find调用在这里没有风险,因为数据已经在客户端(可能是您的发布功能应该已经发布了正确的文件)。我认为这种情况下的风险更多地与不良数据有关,而不是与安全有关。只需在规则中添加check调用就足够简单了。例如:
Posts.allow({
insert: function(userId, doc) {
check(doc, {
_id: String,
message: String,
createdAt: Date
});
return true;
}
});
如果文档不符合模式,这将无法从客户端插入新帖子。
关于javascript - Meteor 是否存在 ACL 的 mongo 注入(inject)问题?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21132967/