英文:
MongoEngine: if and how to sanitize search & data input?
问题
I'm using MongoEngine in a project, and I was wondering if and how I need to sanitize user input when creating documents and searching them.
例如,当我从资源(如抓取的RSS提要)提供数据来创建文档时,它们可以具有几乎任何类型的字符串作为数据:
RSS(
rss_link=news.link,
link=news.feed.link,
title=news.feed.title,
subtitle=news.feed.subtitle,
summary=news.feed.summary,
).save()
或者,当我公开这个集合以供用户查询相关的RSS资源时:
objects = RSS.objects.search_text(user_input).order_by('$text_score')
是否需要进行任何类型的输入净化?这两种情况是否不同?文档似乎没有讨论这个问题。
英文:
I'm using MongoEngine in a project, and I was wondering if and how I need to sanitize user input when creating documents and searching them.
For example, when I'm creating a document by providing data from resources like scraped RSS feeds (with feedparser), they can have almost any type of string as data:
RSS(
rss_link=news.link,
link=news.feed.link,
title=news.feed.title,
subtitle=news.feed.subtitle,
summary=news.feed.summary,
).save()
Or, when I'm exposing said collection for user queries to find relevant RSS resources:
objects = RSS.objects.search_text(user_input).order_by('$text_score')
Does any type of input sanitization need to be done? Is it different for both cases? The documentation doesn't seem to be discussing this.
答案1
得分: 1
当保存文档时,MongoEngine将运行字段验证。如果您在查询中使用了user_input,则需要对其进行清理,我认为在这种情况下,确保user_input是一个字符串应该就足够了(如果您担心注入)。正如这里所讨论的,可以通过使用字典来实现注入,因此对其进行清理非常重要。
英文:
When saving a document, MongoEngine will run the field validation. If you use a user_input in a query, you need to sanitize it, in this case I believe ensuring that user_input is a string should be sufficient (if you are concerned about injection). As discussed here, injection can be achieved by using dictionaries so its important to sanitize
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论