通过节点 ts 将用户输入传递给 dynamo DB 是否安全
[英]Is it safe to pass user input to dynamo DB through node ts
问题描述
I have a function that takes user input and directly passes it to the put function
我有一个 function 接受用户输入并将其直接传递给 put function
// user input is message
async addtodb(message: string, partitionkey: string) {
const params: AWS.DynamoDB.DocumentClient.PutItemInput = {
TableName: this.tablename,
Item: {
[this.key]: partitionkey,
id: id,
message,
},
};
return await dynamodb.put(params).promise();
};
Is it secure to use user input as an Amazon DynamoDB partition key? 将用户输入用作 Amazon DynamoDB 分区键是否安全?
is unclear and that is with the partition key aswell.不清楚,分区键也是如此。 I know the first rule of hacking is never trust user input so does that apply here?我知道黑客攻击的第一条规则是永远不要相信用户输入,那么这是否适用于此?
1 个解决方案
解决方案1
1 已采纳 2023-01-27 08:43:08
You should always sanitize inputs.您应该始终清理输入。
However, you cannot run UDFs or any other type of function on DynamoDB which most attacks try exploit.但是,您不能在大多数攻击尝试利用的 DynamoDB 上运行 UDF 或任何其他类型的 function。 The only thing you're at risk from is the user storing data that you did not expect.您面临的唯一风险是用户存储了您没有预料到的数据。
Partition key is hashed and uses salt, so the distribution of your data won't be impacted either.分区键经过哈希处理并使用盐,因此您的数据分布也不会受到影响。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.