Unsanitized input in NoSQL query
- Rule ID: javascript_express_nosql_injection
- Languages: javascript
- Source: nosql_injection.yml
Description
Using unsanitized data in NoSQL queries exposes your application to NoSQL injection attacks. This vulnerability arises when user input, request data, or any externally influenced data is directly passed into a NoSQL query function without proper sanitization.
Remediations
- Do not include raw, unsanitized user input in NoSQL queries. This practice can lead to NoSQL injection vulnerabilities.
const User = require("../models/user")
const newUser = new User(req.body); // unsafe - Do sanitize all input data before using it in NoSQL queries. Ensuring data is properly sanitized can prevent NoSQL injection attacks.
const User = require("../models/user");
username = req.params.username;
User.findOne({ name: username.toString() });
References
Associated CWE
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_express_nosql_injectionTo run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_express_nosql_injection