Spring Data MongoDB nosql injection

Question

I have a question. Are queries in mongo repositories in spring data safe from NoSQL injection attack? Is it possible to successfully perform such attack on spring-boot application ? For example if I create interface which extends MongoRepository with my own methods, are default queries generated in safe way that such attack is not possible? Thanks

Answer 1

I created small Spring Boot application with one mongo repository. I performed some basic NoSQL injection attacks on it, and just to be sure that they work, I did it also using Robo3T and checked that output was as I expected. For example, making query like:

db.getCollection('user').find({
"login":"f1", 
"password" : { '$ne': null } })

would give me all users with that login which exists in database. I made this attacks with doing such { '$ne': null } for String field type.(also I did some other attacks with other types, but i will explain my other conclusions later) As I figured out, in that way, it's impossible to provide our own commands. Spring just made this look like:

"password":"{ '$ne': null }"

and whenever we try to maybe end it with "", it would just add \ to our query, for example:

{ "login" : "f1", "password" : "\"end earlier\"" }

I also checked making other requests(mostly from here: https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt as I found it here https://www.owasp.org/index.php/Testing_for_NoSQL_injection, maybe these links would help someone), however none of them was successful. So as far as I am concerned they were prepared on such cases like NoSQL Injection and they secured it. However, I would be grateful if someone could uphold or disagree with my opinion(which was based on performed attacks) and provide some more proofs or examples. Thanks.