Is it safe give to applications direct access to CouchDB through the REST Api?
https://stackoverflow.com/questions/11887901
-
25-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I watched DEFCON, devoted to NoSQL at all and CouchDB in particular. They observe some vectors of attack like access to client library(Pseudo SQL Transparent layer), access to db and then brute keys.(in Schema-less way), json/view injection. If i left access to db direct from internet, and use in db validation, authentication. Does that way make my database less secure?
Unfortunately, the lack of experience of working with CouchDB prevents an accurate analysis, rely on your opinion dear colleagues.
Thank you.
La solution
No, I would not do this.
I don't feel the CouchDB security is granular enough to make it suitable to be posted on the internet. There's no way to let "some" data through, and not all. On a normal SQL DB, you can restrict some tables, etc. But not in Couch. Being schema-less and a document store, a document is a document is a document, whether it's a "secret" or "important" one or not.
It's a fine back end, but not on the wild internet.
Autres conseils
Giving direct access to any web based DB would be asking for trouble, but I suppose it depends on your design...
With CouchDB, you have the option of providing each user with their own database, which would mitigate certain problems. You can also change the read/write permissions of 'direct' CouchDB users.
Detailed explanations for both techniques can be found here: CouchDB Authorization on a Per-Database Basis
