Unsanitized input in NoSQL query

Rule ID: python_lang_nosql_injection
Languages: python
Source: nosql_injection.yml

Description

Using unsanitized data in NoSQL queries exposes your application to NoSQL injection attacks. This vulnerability arises when user input, request data, or any externally influenced data is directly passed into a NoSQL query function without proper sanitization.

Remediations

Do not include raw, unsanitized user input in NoSQL queries. This practice can lead to NoSQL injection vulnerabilities.
```
  query = '{ "username": "' + unsafe_input + '" }'
  collection.findOne(query) # unsafe
```
Do use parameterized queries instead of concatenating strings. This ensures that you take advantage of any built-in input sanitization that your NoSQL client may offer.
```
  collection.findOne({ "username": unsafe_input });
```
Do sanitize and validate all input data before using it in NoSQL queries. Ensuring data is properly sanitized and validated can prevent NoSQL injection attacks. For example, you could parse external data as a string or convert the data into an appropriate BSON type.
```
  username = request.GET.get("username")
  collection.findOne({ "username": str(unsafe_input) });
  # or 
  collection.findOne({ "uuid": bson.ObjectId(unsafe_input) })
```

References

OWASP NoSQL injection explained

Associated CWE

CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_nosql_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_nosql_injection