I'm writing a REST interface to a MongoDB database program, and I'm trying to implement search functionality. I'd like to expose the entire MongoDB interface. I have two questions, really, but they're r开发者_运维百科elated so I'm putting them in one post:
- Is it safe to decode untrusted JSON with the Python json module, or is it like the pickle module in that it could allow arbitrary code execution?
- Is it safe to pass that decoded JSON to the PyMongo find() function?
Python's JSON module should be safe to use with untrusted input, at least in its default configuration (i.e. you haven't supplied any of the custom decoders, which could potentially have exploits within them).
However, we cannot say with certainty that the results of json.loads()
are safe to pass to pymongo's find()
method. While the find()
method will not modify (update or remove) data in mongodb, it is possible to craft intentionally very poorly performing queries, like the following which uses a specially-crafted $where
clause to create very poor performance characteristics:
{"$where": "function() { for (var i=0; i<1000000; i++) {}; return true; }"}
Note that this is both valid JSON, and a valid mongodb query against.
For this reason, I wouldn't permit user-crafted JSON to be used directly as a query against mongodb, unless your users are all trusted (i.e. clients that you control directly, such as other servers/components within an application).
精彩评论