I know in SQL land people love referring to Little Bobby Tables as the main reason to have a very strict interface between your user base and your database.
However, I want to implement a robust query solution using MongoDB, and it seems like I can theoretically give a user an interface that grants them full reign to what they want to query for.
The only danger I see is a user creating a long running query, which can be mitigated by using $maxTimeMS with my db.collection.find
query. Am I being naive?
I figure since db.collection.find
forces queries to a particular collection, users would only have access to that collection. So they could only search in the websites
collection, but not in the users
collection.
Best Answer
The real answer is it depends, but most of the time this probably isn't a good idea.
SELECT
while it is less nefarious than other the other CRUD commands still carries risk.Why this is probably a bad plan
SELECT
only access to the database I can find your hashed passwords and brute force the password offline.It is important to note that even sites like Have I been pwned? which offer unauthenticated searches of large semi-public data sets don't allow unrestricted
SELECT
capabilities.