What could go wrong if I let users create their own Mongo collections?

mongodb security database mongoose

I am in the process of building a basic no-code solution to build RESTful APIS that support CRUD operations on a MongoDB collection. Right now it is just a Proof of Concept project that I use internally with no external users.

I saw this question on Stack Overflow the other day and I though that it could allow me to convert this little project into a SaaS concept.

Allowing users to create their own collections in MongoDB could be potentially insecure, but I couldn't think of any catastrophic consequence... Maybe the fact that malicious users can purposely create a collection that is horrible in performance? Or maybe the user could inject some references to other collections...?

Does having a separated Mongo database help to mitigate those attacks? Or could you give me more reasons why this is a bad idea?

Thank you very much!


Solution 1:

A few problems I can think of

  1. Duplicate collection names
  2. Unwanted characters
  3. Performance issue is there as you might not be able to control the indexes

A different approach would be you create the collection for them and let them put the data into a mixed field. Still you will face the indexing problem at some extend.

Related

Phusion Passenger + Apache: LoadError -- No such file or directory
"Old" Software slower on Windows 10? [closed]
fail2ban not working with SSHD using busybox-syslogd
How can I keep notification center enabled, even when I'm in a full-screen app?
Going in for an apple repair, do I need to remove my second hard drive for the superdrive?
Could you interpret these screen resolutions from Google Analytics?
How do I extend the end of a clip in iMovie?
Change guest account photo in Mavericks?
iPhone alarm doesn't go off sometimes!
A problem with using the iphoto library upgrader tool
Xcode cannot run using the selected device?
What is the chance for Apple to terminate my developer account?