Mongodb – Is it dangerous to expose MongoDB’s db.collection.find to users

mongodbSecurity

I know in SQL land people love referring to Little Bobby Tables as the main reason to have a very strict interface between your user base and your database.

However, I want to implement a robust query solution using MongoDB, and it seems like I can theoretically give a user an interface that grants them full reign to what they want to query for.

The only danger I see is a user creating a long running query, which can be mitigated by using $maxTimeMS with my db.collection.find query. Am I being naive?

I figure since db.collection.find forces queries to a particular collection, users would only have access to that collection. So they could only search in the websites collection, but not in the users collection.

Best Answer

The real answer is it depends, but most of the time this probably isn't a good idea. SELECT while it is less nefarious than other the other CRUD commands still carries risk.

Why this is probably a bad plan

  • Most applications with databases have some concept of an authenticated user vs a non-authenticated user. If I have unrestricted SELECT only access to the database I can find your hashed passwords and brute force the password offline.
  • I can mine your database for your user's contact information to let them know about my buddy who is an African prince with a problem accessing his funds.
  • I can DDoS your server by crafting long running queries and repeating them every timeout.
  • I can create lots of memory intensive queries to drain resources as well
  • I can scrape your data and use it for my own profit.
  • I can increase your bandwidth costs by repeatedly requesting large amounts of data
  • And many more things

It is important to note that even sites like Have I been pwned? which offer unauthenticated searches of large semi-public data sets don't allow unrestricted SELECT capabilities.

Related Question