PMXBOT Log file Viewer

Help | Karma | Search:

#mongodb logs for Sunday the 19th of June, 2016

(Back to #mongodb overview) (Back to channel listing) (Animate logs)
[04:55:27] <sector_0> hello
[04:56:38] <sector_0> when accepting data from a user that going to be used for a query, is it safe to let him/her define the JSON parameter?
[04:57:51] <sector_0> for example I have a query that look something like this: db.col.find({format: userInput})
[04:58:50] <sector_0> so the user is free to input things like: {$in: ["val1", "val2"]}, "val1", etc
[04:59:06] <sector_0> is this safe?
[05:25:32] <sector_0> keeping in mind that the data in that particular collection isn't sensitive
[05:26:00] <sector_0> It's public data, but I just want users to be able to filter results
[08:18:03] <iocube> Hi. pymongo question, how can I tell mongo to authenticate on database different from 'admin'?
[08:19:12] <iocube> for example, I created user (db.createUser()) on 'test' database, and I want to authenticate against 'test' database
[08:20:43] <iocube> test.authenticate('testuser', 'testpwd') gives me an error: SCRAM-SHA-1 authentication failed for testuser on admin from client 127.0.0.1 ; UserNotFound: Could not find user testuser@admin
[08:31:18] <iocube> OK. this works. client = pymongo.MongoClient('mongodb://<user>:<password>@<address>:<ip>/<database_name>')
[12:15:30] <bratner> Is there a way to extend the c++ stream builder interface with custom types ? ex: mydocument << "key" << value_of_custom_type;
[12:15:35] <bratner> ?
[13:17:33] <someone235> Hi, I try to install mongo by following this instructions: https://docs.mongodb.com/ecosystem/platforms/amazon-ec2/ . but I get "No package mongodb-org-server available". Someone knows why and how to fix this?
[13:24:21] <bratner> someone235, run 'cat /etc/yum/repos.d/mongodb.repo' see if you have it correct.
[13:26:07] <bratner> is there a "built-in" way to make mongo refuse to insert a document with specific key:value pair?
[13:31:58] <someone235> bratner, it seems that there were a typo in docs
[13:33:06] <someone235> bratner, now it says: The file /dev/xvdf does not exist and no size was specified.
[14:10:07] <kurushiyama> bratner https://docs.mongodb.com/manual/core/document-validation/#document-validation
[14:10:42] <kurushiyama> someone235 You can not store directly onto the block device.
[14:52:57] <bratner> kurushiyama, thanks!
[14:56:08] <kurushiyama> bratner You are welcome!
[16:15:13] <SubMind> hey how to import mongodb in angular2 ?
[19:45:17] <sector_0> what's the best way to let a user define filters for a search
[19:45:52] <sector_0> currently I'm testing my server with the user inputting raw JSON, which is then used in the find() function
[19:46:40] <sector_0> the data isn't too sensitive so I currently can't think of any security risk of doing this, but at the same time I'm not that sensible when it comes to mongodb
[19:46:52] <sector_0> can someone advise me?
[19:47:15] <bratner> sector_0, never trust the user. ever ever ever....
[19:47:49] <sector_0> I don't, but it the JSON is used in the find function, I don't see what can go wrong
[19:47:59] <sector_0> I'm not saying it can't but I just don't see it
[19:48:29] <sector_0> s/it/if
[19:48:51] <sector_0> bratner, what would be a good alternative?
[19:49:05] <bratner> sector_0, (1) verify that it is JSON. (2) verify that the JSON is correct in context of that specific find function.
[19:50:34] <sector_0> bratner, currently my code look like this: find({someField: {$in: userData}})
[19:50:55] <sector_0> so the user can only send an array
[19:51:01] <sector_0> is that ok?
[19:51:42] <sector_0> ...and of course there's the proper JSON parsing before, and the test to make certain it's actually an array
[19:51:45] <bratner> sector_0, can userData be like "foo"}}) $or {doSomeEvilShit}})
[19:52:15] <sector_0> bratner, no it has to be an array
[19:52:46] <bratner> sector_0, i don't know mongo enough to tell you. I'm a total noob. Search for known injections of JSON to see how they worked.
[19:53:11] <sector_0> bratner, I have, but it's most a result of carelessness
[19:53:34] <sector_0> http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
[19:54:33] <sector_0> if you just do something like: find({field: JSON.parse(userData)})
[19:54:58] <sector_0> then the user is free to inject anything basically
[19:54:58] <bratner> sector_0, slide 7 has some regexes http://www.slideshare.net/null0x00/json-injection
[19:57:28] <bratner> sector_0, in any case this is a best-effort defense. Monitor the queries and flag suspicious users and lock them out automatically so they will have to explain themselves.
[19:59:56] <bratner> do people who use the c++ driver visit this channel?
[21:11:51] <bratner> In c++ API can one create a bson array directly from std::vector<> or a basic C++ array?