|
|
|
|
|
|
by ivancho
894 days ago
|
|
|
The hubris of software engineers never ceases to amaze me. I'm not trying to scare you here, I am just gently suggesting that you might not have the capacity to provide this as a public service. Keep using it for your projects if it works for you, maybe wrap it in a docker container for other people to deploy on their own if they so want. Side note, I just tested a curl command with -d '{"key": {"$regex": ".*"}, "value": "..."}'
and it went through, updating the already existing first key in the collection, so you're not even sanitizing your inputs - there's likely some Mongo lookup code that will enumerate the existing collections, or overwrite someone else's data, or possibly read all of it, I am not going to continue with the probing (are you sanitizing the api key?). You can either assume good faith from all your users, or open the API to the internet, but definitely not both. |
|
|