Question

Environment variables are the means by which the Cloud Foundry runtime communicates to the application about its environment. One of the most important pieces of information it communicates are the services which are available and how to connect with them.

Source

同一page提供了含有MySQL数据库用户名密码等连接参数的环境变量样本。

VCAP_SERVICES: {
"mongodb-1.8":[{"name":"hello-mongo","label":"mongodb-1.8","plan":"free","credentials":{"hostname":"172.30.48.64","port":25003,"username":"e4f2c402-1153-4dfb-8d98-2f6efc65e441","password":"f17f81e4-9855-4b9c-a22b-e6a9e6f113c3","name":"mongodb-5751dac0-3b5e-405b-a1e1-2b384fe4026d","db":"db"iiiiii],
"redis-2.2":[{"name":"hello-redis","label":"redis-2.2","plan":"free","credentials":{"node_id":"redis_node_4","hostname":"172.30.48.43","port":5002,"password":"e1d7acb0-2baf-42be-84bc-3365aa819586","name":"redis-96836b7c-0949-45fd-a741-c7be5951d52f"iiiiii],
"mysql-5.1":[{"name":"hello-mysql","label":"mysql-5.1","plan":"free","credentials":{"node_id":"mysql_node_5","hostname":"172.30.48.24","port":3306,"password":"pw4EKJqL6na6f","name":"dd9b58515e3cb41958a30bf2af88126fc","user":"uLfJbOmxfSEUt"iiiiii]

iii

The page further states:

您可以利用Java s环境变数APIC和(或)现有的春季XML特征,将这些信息输入你的申请中,但利用新的云层(此处标明)将这些信息归入一个方便的财产物体,这种信息很容易消耗。

我理解这一点,想知道这一安排对申请安全有何影响。具体地说,开发商应当采取哪些措施,使恶意袭击者不直接控制像我sql数据库这样的后盾服务?

EDIT: Apart from the risk of attacker gaining control of backend service, I also can imagine the risk of attacker causing the application to connect to a malicious backend.

Answer 1

如果你想与支持服务(数据库)挂钩,你必须提供一些证书。要使环境变量对服务具有动态约束力,就是一个很好的选择,可以将私人信息应用于应用。

As with any application compromise, the backend gets exposed when the application is hacked.

如果攻击者能够在云层建筑基础设施上建立 malicious服务,并能够损害云层主计长,通过应用伪造的环境变数,你可以与天线背后连接的唯一途径。

友情链接