Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JavaScript NoSQL Injection prevention in MongoDB

Tags:

How can I prevent JavaScript NoSQL injections into MongoDB?

I am working on a Node.js application and I am passing req.body, which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case.

like image 655
daniel Avatar asked Nov 18 '12 01:11

daniel


People also ask

Does MongoDB prevent SQL injection?

One would think that having a NoSQL database prevents any sort of SQL Injection. However, that's not the case. Just like any other database, MongoDB uses commands to fetch and display data on the web application.

What is the main method of defending SQL and NoSQL injection attacks?

The best way to prevent NoSQL injection attacks is to avoid using raw user input in your application code, especially when writing database queries. For example, MongoDB has built-in functionality to build secure queries without using JavaScript.

Is MongoDB injection possible?

External injection are also possible with MongoDB. It is often associated with unvalidated user data getting into MongoDB queries. It is always important to detect and prevent NoSQL injection by testing any data that may be received by your server.

Are NoSQL safe from injection attacks?

NoSQL ≠ No Injection attacks. Non-SQL databases are vulnerable to dangerous and damaging attacks, which must be proactively prevented. Even with the best-efforts during development and deployment, vulnerabilities may remain in the application, causing the risk of non-SQL injections to increase.


2 Answers

Sushant's answer is not correct. You need to be aware of NoSQL injection in MongoDB.

Example (taken from here)

User.findOne({     "name" : req.params.name,      "password" : req.params.password }, callback);  

If req.params.password is { $ne: 1 }, the user will be retrieved without knowing the password ($ne means not equals 1).

MongoDB Driver

You can use mongo-sanitize:

It will strip out any keys that start with '$' in the input, so you can pass it to MongoDB without worrying about malicious users overwriting.

var sanitize = require('mongo-sanitize');  var name = sanitize(req.params.name); var password = sanitize(req.params.password);  User.findOne({     "name" : name,      "password" : password }, callback);  

Mongoose Driver

As it follows a schema, if the password is a string field, it will convert the object { $ne: 1 } to string and no damage will be done. In this case, you don't need to sanitize, just remember to set a proper schema.

like image 84
Zanon Avatar answered Sep 21 '22 10:09

Zanon


Although the post is obsolete, I'm answering.

I know three ways.

First: There is a multipurpose content-filter. Also provides MongoDB injection protection by filtering way.

Second: mongo-sanitize, Helper to sanitize mongodb queries against query selector injections.

Third: I'd seen over here this solution which can be applied for MongoDB too. It's really simple to implement. Only use built-in escape() function of JavaScript.

escape() converts the string into ascii code. $ne is converted into %24ne.

var privateKey = escape(req.params.privateKey);  App.findOne({ key: privateKey }, function (err, app) {   //do something here } 
like image 39
efkan Avatar answered Sep 19 '22 10:09

efkan