Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MongoDB: is it safe to use document's ID "in public"?

I really like MongoDB's automatically generated ids. They are really useful.

However, is it save to use them publicly?

Let's say there is a posts collection, and the /posts page that takes id paramater (something like /posts/4d901acd8df94c1fe600009b) and displays info about it.

This way the user/hacker will know the real object id of the document. Is it okay or is it not secure?

Thanks

like image 422
Alex Avatar asked Jan 03 '11 19:01

Alex


People also ask

Is ID mandatory in MongoDB?

@KevinMeredith As specified here, yes, an _id field is mandatory. «In MongoDB, each document stored in a collection requires a unique _id field that acts as a primary key. If an inserted document omits the _id field, the MongoDB driver automatically generates an ObjectId for the _id field».

Does MongoDB assign ID automatically?

By default, MongoDB generates a unique ObjectID identifier that is assigned to the _id field in a new document before writing that document to the database.

Can Id be string MongoDB?

Yes, you can use a string as your _id.

How many documents is too many in MongoDB?

To my knowledge, there's no real 'limit' on the number of docs in a collection.. probably, it is the number of unique combinations of _id field MongoDB can generate..But that would be much larger than 500K..


2 Answers

The ObjectID documentation states that the automatically generated IDs include a 3-byte machine ID (presumably a hash of the MAC address). It's not inconceivable that someone could figure out things about your internal network by comparing those three bytes in various ids, but unless you're working for the Pentagon that doesn't seem worth worrying about (you're much more likely to be vulnerable to something more boring like a misconfigured Apache).

Other than that, Epcylon's right; there's nothing inherently insecure about exposing ids through URLs. Whether it's ugly is another matter, of course. You can base64 them to make them shorter (been thinking about this myself), but then there's the weird fact that they're all about half the same.

like image 72
Luke Maurer Avatar answered Oct 12 '22 23:10

Luke Maurer


I have no experience with MongoDB in a production environment, so don't take my answer as the truth, but I can't imagine why it shouldn't be safe.

Compare to a Auto-ID type column in a RDBMS. You expose those to the outside all the time, I don't know of any reason for not doing the same with MongoDB ids.

As always, the security should be in validating your input and not letting anyone near your database without proper protection. Do it properly and it shouldn't matter if they know how to pick a particular object in your database, as they still can't do anything with it.

like image 25
Epcylon Avatar answered Oct 13 '22 00:10

Epcylon