登录
首页 >  Golang >  Go问答

数据库查询语句将明文返回,引发安全恐慌

来源:stackoverflow

时间:2024-02-07 15:15:26 296浏览 收藏

知识点掌握了,还需要不断练习才能熟练运用。下面golang学习网给大家带来一个Golang开发实战,手把手教大家学习《数据库查询语句将明文返回,引发安全恐慌》,在实现功能的过程中也带大家重新温习相关知识点,温故而知新,回头看看说不定又有不一样的感悟!

问题内容

我正在测试类似于以下内容的数据库插入语句,该语句在本地工作,但在部署到连接到托管数据库主机的 kubernetes 集群后不起作用:

func insert(w http.responsewriter, r *http.request) {
    db := dbconn()
    //if it's a post request, assign a variable to the value returned in each field of the new page.
    if r.method == "post" {
        email := r.formvalue("email")
        socialnetwork := r.formvalue("social_network")
        socialhandle := r.formvalue("social_handle")
        createdon := time.now().utc()

        //prepare a query to insert the data into the database
        insform, err := db.prepare(`insert into public.users(email, social_network, social_handle) values ($1,$2, $3)`)
        //check for  and handle any errors
        checkerror(err)
        //execute the query using the form data
        _, err = insform.exec(email, socialnetwork, socialhandle)
        checkerror(err)
        //print out added data in terminal
        log.println("insert: email: " + email + " | social network: " + socialnetwork + " | social handle : " + socialhandle + " | created on: " + createdon.string() + " | createdon is type: " + reflect.typeof(createdon).string())
        sendthanks(socialhandle, email)
    }
    defer db.close()

    //redirect to the index page
    http.redirect(w, r, "/thanks", 301)
}

我已使用相应的机密对象配置了如下部署:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: novvsworld
  namespace: novvsworld
spec:
  replicas: 1
  selector:
    matchLabels:
      app: novvsworld
  template:
    metadata:
      labels:
        app: novvsworld
    spec:
      containers:
        - name: novvsworld
          image: my.registry.com/registry/novvsworld:latest
          resources:
            limits:
              memory: "128Mi"
              cpu: "500m"
          ports:
            - containerPort: 3000
          env:
            - name: DBHOST
              valueFrom:
                secretKeyRef:
                  name: novvworld-secrets
                  key: DBHOST
            - name: DBPORT
              valueFrom:
                secretKeyRef:
                  name: novvworld-secrets
                  key: DBPORT
            - name: DBUSER
              valueFrom:
                secretKeyRef:
                  name: novvworld-secrets
                  key: DBUSER
            - name: DBPASS
              valueFrom:
                secretKeyRef:
                  name: novvworld-secrets
                  key: DBPASS
            - name: DBSSLMODE
              valueFrom:
                secretKeyRef:
                  name: novvworld-secrets
                  key: DBSSLMODE
            - name: SENDGRID_API_KEY
              valueFrom:
                secretKeyRef:
                  name: novvworld-secrets
                  key: SENDGRID_API_KEY

“dbsslmode”的值当前在机密文件中设置为“禁用”。

通过前端输入数据测试insert语句时,返回如下panic:

022/08/15 18:50:58 http:恐慌服务 10.244.0.38:47590:pq:主机“167.172.231.113”、用户“novvsworld”、数据库“novvsworld”没有 pg_hba.conf 条目,无加密

我是否缺少加密的附加配置,并且不应将 sslmode 设置为禁用绕过此配置?


正确答案


是的,这就是问题所在。客户端拒绝使用 SSL。而服务器(配置未显示,但可以从错误中推断)拒绝在没有 SSL 的情况下继续进行。

只要双方提出不相容的要求,不肯妥协,就什么也做不了。

以上就是《数据库查询语句将明文返回,引发安全恐慌》的详细内容,更多关于的资料请关注golang学习网公众号!

声明:本文转载于:stackoverflow 如有侵犯,请联系study_golang@163.com删除
相关阅读
更多>
最新阅读
更多>
课程推荐
更多>