반응형
const express = require("express");
const mongoose = require("mongoose");
const bodyparser = require("body-parser");

const app = express();

app.use(bodyparser.urlencoded({	extended: true }));
app.use(express.static("public"));

mongoose.Promise = global.Promise;
mongoose.connect("mongodb://localhost/test", { useNewUrlParser: true })
	.then(() => console.log("connected mongoose"))
	.catch(e => console.log(e));

const db = mongoose.connection;
var UserScheme = mongoose.Schema({
	username: String,
	password: String
});
var User = mongoose.model("User", UserScheme);

app.get("/setadmin", (req, res) => {
	var admin = new User({ username: "admin", password: "admin" });
	admin.save((err, result) => {});
	res.send("Done");
});

app.get("/list", (req, res) => {
	User.find({}, (err, docs) => {
		res.send(docs);
	});
});

app.get("/", (req, res) => {
	res.send(`
	<html>
	<body>
		<form action="/login" method="POST">
			<input type="text" name="username">
			<input type="text" name="password">
			<input type="submit" value="login">
		</form>
	</body>
	</html>
	`);
});

app.post("/login", (req, res) => {
	var username = req.body.username;
	var password = req.body.password;

	console.log(username, password);
	console.log(typeof username, typeof password);
	if(typeof username !== "string" || typeof password !== "string") {
		res.send("login failed");
		return;
	}

	User.findOne({ username: username, password: password }).exec((err, result) => {
		if(result){
			res.send(`hello ${username}`);
		} else {
			res.send("login failed");
		}
	});
});

app.listen(3000);

자다가 배고파서 라면먹고 nodejs 공부나 해야겠다 싶어서 구글링 해가면서 20분만에 짠 코드

 

typeof를 사용해서 string 체크하는 방식으로 nosql injection을 막아봄.

 

 

'공부' 카테고리의 다른 글

stdin, stdout시 동적할당  (0) 2019.07.11
[how2heap] overlapping_chunks2  (0) 2019.05.22
xss payload  (0) 2019.04.19
[Windows Kernel Driver] 개발환경 구성  (0) 2018.11.25
유저 영역 Stack Canary 분석  (2) 2018.08.16
블로그 이미지

KuroNeko_

KuroNeko

,