1

I am in the process of building a basic no-code solution to build RESTful APIS that support CRUD operations on a MongoDB collection. Right now it is just a Proof of Concept project that I use internally with no external users.

I saw this question on Stack Overflow the other day and I though that it could allow me to convert this little project into a SaaS concept.

Allowing users to create their own collections in MongoDB could be potentially insecure, but I couldn't think of any catastrophic consequence... Maybe the fact that malicious users can purposely create a collection that is horrible in performance? Or maybe the user could inject some references to other collections...?

Does having a separated Mongo database help to mitigate those attacks? Or could you give me more reasons why this is a bad idea?

Thank you very much!

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
caravana_942
  • 111
  • 2

1 Answers1

1

A few problems I can think of

  1. Duplicate collection names
  2. Unwanted characters
  3. Performance issue is there as you might not be able to control the indexes

A different approach would be you create the collection for them and let them put the data into a mixed field. Still you will face the indexing problem at some extend.

niksmac
  • 71
  • 1
  • 1
  • 7