Secure Code Warrior_.Net Core 資安練習_NoSQL注入

 

有害的程式碼

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
namespace SecureSoft.Data.Repositories
{
    using System.Collections.Generic;
    using System.Threading.Tasks;

    using MongoDB.Bson;
    using MongoDB.Driver;

    using SecureSoft.Domain;
    using SecureSoft.Domain.Repositories;

    public class MobileRepository : IMongoRepository<Mobile>
    {
        private readonly IMongoDatabase database;

        public MobileRepository(IMongoDatabase database)
        {
            this.database = database;
        }

        private IMongoCollection<Mobile> Phones =>
            this.database.GetCollection<Mobile>("Phones");

        public async Task<List<Mobile>> GetAll(
            int? minPrice,
            int? maxPrice,
            string name)
        {
            var builder = new FilterDefinitionBuilder<Mobile>();
            var filter = builder.Empty; 
            if (!string.IsNullOrWhiteSpace(name))
            {
                filter = filter & builder.Regex(
                             "Name",
                             new BsonRegularExpression(name));
            }

            if (minPrice.HasValue)  
            {
                filter = filter & builder.Gte("Price", minPrice.Value);
            }

            if (maxPrice.HasValue)  
            {
                filter = filter & builder.Lte("Price", maxPrice.Value);
            }

            return await this.Phones.Find(filter).ToListAsync();
        }

        public async Task<Mobile> Get(string id)
        {
            var command = "{$where: \"function() {return this._id == '" + id
                                                                        + "'}\"}";
            return await this.Phones.Find(command).FirstOrDefaultAsync();
        }

        public async Task<string> Create(Mobile phone)
        {
            await this.Phones.InsertOneAsync(phone);
            return phone.Id;
        }

        public async Task Update(Mobile phone)
        {
            await this.Phones.ReplaceOneAsync(
                new BsonDocument("_id", new ObjectId(phone.Id)),
                phone);
        }

        public async Task Delete(string id)
        {
            await this.Phones.DeleteOneAsync(
                new BsonDocument("_id", new ObjectId(id)));
        }
    }
}





解決方案

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
namespace SecureSoft.Data.Repositories
{
    using System.Collections.Generic;
    using System.Threading.Tasks;

    using MongoDB.Bson;
    using MongoDB.Driver;

    using SecureSoft.Domain;
    using SecureSoft.Domain.Repositories;

    public class MobileRepository : IMongoRepository<Mobile>
    {
        private readonly IMongoDatabase database;

        public MobileRepository(IMongoDatabase database)
        {
            this.database = database;
        }

        private IMongoCollection<Mobile> Phones =>
            this.database.GetCollection<Mobile>("Phones");

        public async Task<List<Mobile>> GetAll(
            int? minPrice,
            int? maxPrice,
            string name)
        {
            var builder = new FilterDefinitionBuilder<Mobile>();
            var filter = builder.Empty; 
            if (!string.IsNullOrWhiteSpace(name))
            {
                filter = filter & builder.Regex(
                             "Name",
                             new BsonRegularExpression(name));
            }

            if (minPrice.HasValue)  
            {
                filter = filter & builder.Gte("Price", minPrice.Value);
            }

            if (maxPrice.HasValue)  
            {
                filter = filter & builder.Lte("Price", maxPrice.Value);
            }

            return await this.Phones.Find(filter).ToListAsync();
        }

        public async Task<Mobile> Get(string id)
        {
            return await this.Phones
                       .Find(new BsonDocument("_id", new ObjectId(id)))
                       .FirstOrDefaultAsync();
        }

        public async Task<string> Create(Mobile phone)
        {
            await this.Phones.InsertOneAsync(phone);
            return phone.Id;
        }

        public async Task Update(Mobile phone)
        {
            await this.Phones.ReplaceOneAsync(
                new BsonDocument("_id", new ObjectId(phone.Id)),
                phone);
        }

        public async Task Delete(string id)
        {
            await this.Phones.DeleteOneAsync(
                new BsonDocument("_id", new ObjectId(id)));
        }
    }
}














留言

這個網誌中的熱門文章

何謂淨重(Net Weight)、皮重(Tare Weight)與毛重(Gross Weight)

Architecture(架構) 和 Framework(框架) 有何不同?_軟體設計前的事前規劃的藍圖概念

經得起原始碼資安弱點掃描的程式設計習慣培養(五)_Missing HSTS Header