How can I generate safe path?
const myPath= `foo.bar.\`${userInput}\``;
bucket.mutate_in('myKey')
.insert(myPath,myData,{ createParents: true })
userInput
is a string , comes from end user , it can be dangerous , I just limit the size of string to 100 characters
In the following I show some userInput ==> myPath
example
foobar ===> foo.bar.`foobar`
foo bar ===> foo.bar.`foo bar`
it`s ==> foo.bar.`it`s`
it`.`childObject ===> foo.bar.`it`.`childObject`
As you can see, Here we have a security issue
How can I have a safe path?
What is the name of this issue? it is like SQL injection
As I show , user can change our structure , you want to save data at foo.bar.path
not foo.bar.other.path
,Is there any other issues?
Hey @socketman2016 ,
The pathing available from our sub-document API is relatively limited. If you want to prevent the user from pathing deeper than a single level, you should be able to simply strip away any .
characters. There is no need to worry about most things from SQL as there is no way to move ‘up or across’ levels with the sub-document pathing.
Cheers, Brett
My path is based on email and contains . character
email.`test@couchbase.com`
I just replace ` with `` , it is okay?
socketman2016:
My path is based on email and contains . character
email.`test@couchbase.com`
I just replace ` with `` , it is okay?
@brett19 can you confirm that replacing ` to`` can guaranteed safety
Hey @socketman2016 ,
Escaping of a the .
to prevent the user specifying a path which nests deeper than expected should be enough. There are no other safety concerns with sub-document, as it doesn’t allow you to perform any unsafe forms of operations from a path perspective.
Cheers, Brett
How can I escape . ? Replace with . ?
What about my approach? Replace with `` and sourond with
`
@brett19 Sorry that I mention you again, But I want to sure
Hey @socketman2016 ,
I actually recently stumbled upon our documented best practices for handling sub-document paths. It should help you immensely, you can find it here:
https://docs.couchbase.com/nodejs-sdk/2.6/subdocument-operations.html
You can also find a pending version of that document with all javascript examples here:
= Sub-Document Operations
include::partial$attributes.adoc[]
[abstract]
_Sub-Document_ operations can be used to efficiently access _parts_ of documents.
Sub-Document operations may be quicker and more network-efficient than _full-document_ operations such as _upsert_, _update_ and _get_ because they only transmit the accessed sections of the document over the network.
Sub-Document operations are also atomic, allowing safe modifications to documents with built-in concurrency control.
== Sub-Documents
Starting with Couchbase Server 4.5 you can atomically and efficiently update and retrieve _parts_ of a document.
These parts are called _Sub-Documents_.
While full-document retrievals retrieve the entire document and full document updates require sending the entire document, Sub-Document retrievals only retrieve relevant parts of a document and Sub-Document updates only require sending the updated portions of a document.
You should use Sub-Document operations when you are modifying only portions of a document, and full-document operations when the contents of a document is to change significantly.
[caption=Attention]
IMPORTANT: The Sub-Document operations described on this page are for _Key-Value_ requests only: they are not related to Sub-Document N1QL queries.
(ub-Document N1QL queries are explained in the section xref:n1ql-query.adoc[Querying with N1QL].)
In order to use Sub-Document operations you need to specify a _path_ indicating the location of the Sub-Document.
This file has been truncated. show original
Cheers, Brett
1 Like