我有一个文件的宁静服务,文件存储在mongodb中,文件的宁静api是/document/:id,最初api中的:id使用的是mongodb的对象id,但我想知道deos如果我想用假名 id 替换它,这种方法会显示数据库 id 并暴露潜在威胁。
如果需要将其替换为假名 id,我想知道是否有一种算法方法可以让我在没有太多计算的情况下来回转换对象 id 和假名 id
问问题
912 次
1 回答
1
First, there is no "database id" contained in the ObjectID.
I'm assuming your concern comes from the fact that the spec lists a 3 byte machine identifier as part of the ObjectID. A couple of things to note on that:
- Most of the time, the ObjectID is actually generated on the client side, not the server (though it can be). Hence this is usually the machine identifier for the application server, not your database
- The 3 byte Machine ID is the first three bytes of the (md5) hash of the machine host name, or of the mac/network address, or the virtual machine id (depending on the particular implementation), so it can't be reversed back into anything particularly meaningful
With the above in mind, you can see that worrying about exposing information is not really a concern.
However, with even a small sample, it is relatively easy to guess valid ObjectIDs, so if you want to avoid that type of traffic hitting your application, then you may want to use something else (a hash of the ObjectID might be a good idea for example), but that will be dependent on your requirements.
于 2013-05-02T11:00:10.670 回答