Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.0k views
in Technique[技术] by (71.8m points)

security - Why is it not recommended to use server-side stored functions in MongoDB?

According to the MongoDB documentation, it isn't recommended to use server-side stored functions. What is the reason behind this warning?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I am sure I have stated the list a couple of times despite the Google search result being filled only with people telling you how to do it:

  • It is eval
  • eval has natural abilities to be easily injected, it is like a non-PDO equilivant to SQL, if you don't buld a full scale escaping library around it it will mess you up. By using these functions you are effectively replacing the safer native language of MongoDB for something that is just as insecure as any old SQL out there.
  • It takes a global lock and can take write lock and will not release until the operation is completely done, unlike other operations which will release in certain cases.
  • eval only works on Primaries and never any other member of the replica set
  • It is basically running, unchecked, a tonne of JS in a bundled V8/spidermonkey envo that comes with MongoDB with full ability to touch any part of your database and admin commands, does that sound safe?
  • It is NOT MongoDB and nor is it "MongoDBs SQL", it runs within a built in JS environment, not MongoDBs C++ code itself (unlike the aggregation framework).
  • Due to the previous point it is EXTREMELY slow in comparison to many other options, this goes for $where usage as well.

That should be enough to get you started on this front.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...