Return-Path: Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: (qmail 3079 invoked from network); 3 Feb 2009 16:28:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Feb 2009 16:28:14 -0000 Received: (qmail 6022 invoked by uid 500); 3 Feb 2009 16:28:12 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 5819 invoked by uid 500); 3 Feb 2009 16:28:11 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 5808 invoked by uid 99); 3 Feb 2009 16:28:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Feb 2009 08:28:11 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jchris@gmail.com designates 209.85.221.21 as permitted sender) Received: from [209.85.221.21] (HELO mail-qy0-f21.google.com) (209.85.221.21) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Feb 2009 16:28:02 +0000 Received: by qyk14 with SMTP id 14so2812708qyk.11 for ; Tue, 03 Feb 2009 08:27:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=yCBv6sctZsArS3mtbmesgcAP97l5gidChMlsFq8fD3I=; b=KDlshe6KbWwP4JjWP1IJxc2/mmlGbezzjU8kx6Nk54m78DgojeRsZ9of+sx/ikrstN n74Jode6cCCVKiQT9TNeGv9HapfdsV7rQ5gP2EuIkcPK8hFBF0U4Lh14bMDkedoaHVJW yIryuaZrYMOSLQuuvBHK3wgQjLqCOWqp6zbSU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=Od+tonMi6AYRBPKui3PbfiFlyPLGYahA8dPdKe7hfzP+v6k0yA3ZR1q2hT5kvZgqG1 7juR4q2H2240tQCsHsvVQEY/9XlDlpz1fnFwCNGvlCu960D/BA5v7k5zmaUJrgG16907 PODh8M63zuLBpnqiFztxPo2637vO1LAjtVRQ4= MIME-Version: 1.0 Sender: jchris@gmail.com Received: by 10.215.12.2 with SMTP id p2mr5323317qai.386.1233678461825; Tue, 03 Feb 2009 08:27:41 -0800 (PST) In-Reply-To: References: Date: Tue, 3 Feb 2009 08:27:41 -0800 X-Google-Sender-Auth: 72603c95757b8add Message-ID: Subject: Re: "safe" access to CouchDB? From: Chris Anderson To: user@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Mon, Feb 2, 2009 at 11:49 PM, Rich Morin wrote: > I'm interested in finding out how to provide "safe" access to > CouchDB from untrusted (and possibly malicious) code. What > can I do to allow queries, but make sure that no destructive > activities (including major denials of service) are allowed? > If you want to avoid denial of service, you should not allow temp_views to be generated by end-users. For document control, if your application can set a trusted "author" field on the doc (perhaps from session) then you can use CouchDB's validation functions in a bunch of interesting ways. Sofa has a fairly complex validation function which manages both blog posts and anonymous comments: http://github.com/jchris/sofa/blob/master/validate_doc_update.js Line 20 of that validation function is my hack to provide some more session support for Sofa admins. It's not a good pattern to follow but you shouldn't need to do it if you have an application server. Fixing sofa's sign-in hack is on my todo list. Or see the test suite for more examples. -- Chris Anderson http://jchris.mfdz.com