28 lines
1.0 KiB
Plaintext
28 lines
1.0 KiB
Plaintext
==== Operators are to be classified as dangerous
|
|
|
|
As a rule of thumb if no operators are needed, you should generally reject user
|
|
input containing them. If some operators are necessary, you should restrict
|
|
their use.
|
|
|
|
Some operators execute JavaScript, and their use should be restricted for both
|
|
untrusted input and internal code. +
|
|
These operators include:
|
|
|
|
* `$where`
|
|
* `$function`
|
|
* `$accumulator`
|
|
* `mapReduce`
|
|
|
|
Depending on your use case, you should first try using regular
|
|
API calls before using any of these operators. +
|
|
For example, using a `$where` operator is unnecessarily complex when only a
|
|
simple search is required. It also leads to performance problems.
|
|
|
|
**Note**: https://www.mongodb.com/docs/manual/reference/operator/query/where/#javascript-enablement[Server-side scripting can be disabled].
|
|
|
|
Regular operators can also lead to data leaks. +
|
|
For example, attackers can use "comparison query operators" in their attack
|
|
data to trick the backend database into giving hints about sensitive
|
|
information or entirely giving it out.
|
|
|