JavaScript NoSQL Injection prevention in MongoDB

by

Sushant‘s answer is not correct. You need to be aware of NoSQL injection in MongoDB.

Example (taken from here)

User.findOne({
    "name" : req.params.name, 
    "password" : req.params.password
}, callback);

If req.params.password is { $ne: 1 }, the user will be retrieved without knowing the password ($ne means not equals 1).

MongoDB Driver

You can use mongo-sanitize:

It will strip out any keys that start with ‘$’ in the input, so you
can pass it to MongoDB without worrying about malicious users
overwriting.

var sanitize = require('mongo-sanitize');

var name = sanitize(req.params.name);
var password = sanitize(req.params.password);

User.findOne({
    "name" : name, 
    "password" : password
}, callback);

Mongoose Driver

As it follows a schema, if the password is a string field, it will convert the object { $ne: 1 } to string and no damage will be done. In this case, you don’t need to sanitize, just remember to set a proper schema.

More Related Contents:

  1. Updating a Nested Array with MongoDB
  2. Mongoose and multiple database in single node.js project
  3. MongoDB, remove object from array
  4. How do I update/upsert a document in Mongoose?
  5. Mongoose find/update subdocument
  6. Mongoose, Select a specific field with find
  7. How to sort in mongoose?
  8. Mongoose difference between .save() and using update()
  9. Bulk upsert in MongoDB using mongoose
  10. UnhandledPromiseRejectionWarning: MongooseServerSelectionError
  11. Mongoose subdocuments vs nested schema
  12. Why is an _id with ObjectID added to when using MongoDB’s $push to add new object to an array?
  13. How to set _id to db document in Mongoose?
  14. What is a TransientTransactionError in Mongoose (or MongoDB)?
  15. Mongoose.js: Find user by username LIKE value
  16. Server Discovery And Monitoring engine is deprecated
  17. Mongoose Not Creating Indexes
  18. is there a mongoose connect error callback
  19. MongooseServerSelectionError: connect ECONNREFUSED ::1:27017
  20. Node.js mongodb driver async/await queries
  21. Find after populate mongoose
  22. What is the difference between id and _id in mongoose?
  23. Group by Date with Local Time Zone in MongoDB
  24. MongooseError: Model.findOne() no longer accepts a callback at Function
  25. Mongoose find() not returning result
  26. Render basic HTML view?
  27. How do I remove documents using Node.js Mongoose?
  28. Inserting and Querying Date with MongoDB and Nodejs
  29. Formatting ISODate from Mongodb
  30. Cannot find module ‘../build/Release/bson’] code: ‘MODULE_NOT_FOUND’ } js-bson: Failed to load c++ bson extension, using pure JS version

Leave a Comment