Sign In Register

How can we help you today?

Start a new topic
Answered

injection attack

Is something needs to be done with strings coming from the client by an event, before inserting them in a collection?

var text = Spark.data.text;
myRuntimeCollection.insert({"metafield" : text});

  Is this 100% safe? The question assume, indeed, the client's app as been hacked.


Best Answer
Hey Gabriel,

Thats a good question.

So, to begin with, our system is SSL secured, which makes for a secure the transmission channel between the client and server.  We are also using MongoDB which can avoid potential injection issues because it does not parse data being sent. When the client creates a query in MongoDB, it builds a BSON object instead of a string, so traditional SQL injection attacks are not a problem as this avoids security issues that can arise when data is being interpreted between server and client.

However, MongoDB is not immune from injection attacks, and SSL security doesn't stop an attacker sending data across the secure channel from the app itself; no system is 100% secure where data is being transmitted unfortunately, and i could, and have discussed this for hours :)

So i'd say, yes,  it is safe, but not 100%.
If you need extra encryption, you could consider building some between your client sending the requests, and the cloud code that interprets your requests decryption it.

Hope that helps,
Sean




Answer
Hey Gabriel,

Thats a good question.

So, to begin with, our system is SSL secured, which makes for a secure the transmission channel between the client and server.  We are also using MongoDB which can avoid potential injection issues because it does not parse data being sent. When the client creates a query in MongoDB, it builds a BSON object instead of a string, so traditional SQL injection attacks are not a problem as this avoids security issues that can arise when data is being interpreted between server and client.

However, MongoDB is not immune from injection attacks, and SSL security doesn't stop an attacker sending data across the secure channel from the app itself; no system is 100% secure where data is being transmitted unfortunately, and i could, and have discussed this for hours :)

So i'd say, yes,  it is safe, but not 100%.
If you need extra encryption, you could consider building some between your client sending the requests, and the cloud code that interprets your requests decryption it.

Hope that helps,
Sean



The immunity of MongoDB to traditional injections is an interesting feature!


I would rather not touch to the encryption/decryption side of this problem as it can never get to 100% saftey and I am an amateur in this field anyway. I'm also very happy that I can rely on gamesparks and someone like you to take the encryption problem off my hand. Thanks Gamesparks!

 

My main interest here is ensuring consistency and security for the database in a 100% safe fashion. What would be the proper way to sanitize the received data in Cloud Code to ensure that?

Well if you think about it, you are probably going to do at least some validation on your data when it is received in cloud-code, even if its just to check the string null or empty for example. I dont know exactly what your validation concerns are, but its not a huge step from there to validating those same strings before you enter them into your collections. Its really up to how scrutinous you want to be.

Sean

 

Yeah I'm doing loads of validation... By this question I was essentially looking to see if I could have forgotten something obvious, but the immunity to traditional injections by MongoDB is pretty much the best answer I could get!


Thanks for your time!


Gabriel


Login to post a comment