Why is it not recommended to use server-side stored functions in MongoDB? - McMap

About

Why is it not recommended to use server-side stored functions in MongoDB?

Asked 27/3, 2013 at 13:33 Answered 27/3, 2013 at 13:40

Solved security mongodb stored-functions

S

1

18

According to the MongoDB documentation, it isn't recommended to use server-side stored functions. What is the reason behind this warning?

Soule answered 27/3, 2013 at 13:33 Comment(0)

B

21

I am sure I have stated the list a couple of times despite the Google search result being filled only with people telling you how to do it:

It is eval
eval has natural abilities to be easily injected, it is like a non-PDO equilivant to SQL, if you don't buld a full scale escaping library around it it will mess you up. By using these functions you are effectively replacing the safer native language of MongoDB for something that is just as insecure as any old SQL out there.
It takes a global lock and can take write lock and will not release until the operation is completely done, unlike other operations which will release in certain cases.
eval only works on Primaries and never any other member of the replica set
It is basically running, unchecked, a tonne of JS in a bundled V8/spidermonkey envo that comes with MongoDB with full ability to touch any part of your database and admin commands, does that sound safe?
It is NOT MongoDB and nor is it "MongoDBs SQL", it runs within a built in JS environment, not MongoDBs C++ code itself (unlike the aggregation framework).
Due to the previous point it is EXTREMELY slow in comparison to many other options, this goes for $where usage as well.

That should be enough to get you started on this front.

Bates answered 27/3, 2013 at 13:40 Comment(5)

Ok, thanks! About this statement: "Due to the previous point it is EXTREMELY slow in comparison to many other options...". I believe when you wrote this, you mean slow in read operations, right? My problem is: I have perform a function over each document of my collection, and read-update-write is really slow when using mongodb-nodejs-native driver. Any thoughts on this? – Soule 27/3, 2013 at 21:26

@EduardoMelo Any operation, the JavaScript will be slower in execution than the C++ code any day, not only that but it isn't natively put into JS, i.e. the JS enigne is started up, a thread made and then the C++ code passes the JS function to be run by the engine. Hmm if it is over every document then it sounds like a one time command, I would do this via the console on the same server as the master MongoDB – Bates 27/3, 2013 at 23:19

Are the issues around locking/concurrency/performance still valid? The current documentation suggests that as of version 2.4, the default JavaScript engine now "allows multiple JavaScript operations to execute at the same time" without acquiring locks. docs.mongodb.org/manual/core/server-side-javascript – Lightsome 13/6, 2013 at 16:15

@StevePerkins I am unsure I have not tested it to be frank however, it is still not the native C++ code and optimisations you can garnish in the aggregation framework or native C++ code in MongoDB will not exist – Bates 13/6, 2013 at 16:31

@StevePerkins can you please guide me what is proper and good approach to use stored function, or if these are not recommended that which the best option ?? – Vitrescence 4/3, 2015 at 15:27

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.