Security question


#1

How can I generate safe path?

const myPath= `foo.bar.\`${userInput}\``;

bucket.mutate_in('myKey')
   .insert(myPath,myData,{ createParents: true })

userInput is a string , comes from end user , it can be dangerous , I just limit the size of string to 100 characters

In the following I show some userInput ==> myPath example

foobar ===> foo.bar.`foobar`
foo bar ===>  foo.bar.`foo bar`
it`s ==> foo.bar.`it`s`
it`.`childObject ===> foo.bar.`it`.`childObject`

As you can see, Here we have a security issue

  1. How can I have a safe path?
  2. What is the name of this issue? it is like SQL injection
  3. As I show , user can change our structure , you want to save data at foo.bar.path not foo.bar.other.path ,Is there any other issues?

#2

Hey @socketman2016,

The pathing available from our sub-document API is relatively limited. If you want to prevent the user from pathing deeper than a single level, you should be able to simply strip away any . characters. There is no need to worry about most things from SQL as there is no way to move ‘up or across’ levels with the sub-document pathing.

Cheers, Brett


#3

My path is based on email and contains . character

email.`test@couchbase.com`

I just replace ` with `` , it is okay?


#4

@brett19 can you confirm that replacing ` to`` can guaranteed safety


#5

@brett19 reply please …


#6

Hey @socketman2016,

Escaping of a the . to prevent the user specifying a path which nests deeper than expected should be enough. There are no other safety concerns with sub-document, as it doesn’t allow you to perform any unsafe forms of operations from a path perspective.

Cheers, Brett


#7

How can I escape . ? Replace with . ?
What about my approach? Replace with `` and sourond with `


#8

@brett19 Sorry that I mention you again, But I want to sure


#9

Hey @socketman2016,

I actually recently stumbled upon our documented best practices for handling sub-document paths. It should help you immensely, you can find it here:
https://docs.couchbase.com/nodejs-sdk/2.6/subdocument-operations.html

You can also find a pending version of that document with all javascript examples here:

Cheers, Brett