Menu
I'm using MongoDB with NodeJS and am wondering if I need to sanitize data before inserting/updating database documents. Its hard to find definite answer and I'm wondering if there are any Node modules that do it nicely or I need to strip all occurences of $ in strings or simply no need to worry about this. I know that PHP has holes but I'm using Node/Mongo (native driver) combo but still not sure if I need to do any cleaning of user input.
811
User input should always be treated as malicious before making it down into lower layers of your application. Always handle sanitizing input as soon as possible and should not for any reason be stored in your database before checking for malicious intent.
If you prefer explicitly calling a function rather than setting an option, Mongoose also exports a sanitizeFilter() function. The sanitizeFilter() function lets you sanitize input against query selector injections yourself.
If you store your data as String and you are not parsing it to execute Mongo command, then there is nothing much to worry about it.
Nice article on security
http://cr.yp.to/qmail/guarantee.html
The only problem occurs when you are retrieving the user input, and you parse that input to execute the Mongo command, here you will need to take care to sanitize the input, or else you will get attack.
There is a npm package to do that for you
https://www.npmjs.com/package/mongo-sanitize
and nice article on this too
https://thecodebarbarian.wordpress.com/2014/09/04/defending-against-query-selector-injection-attacks/
163
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
