Unsanitized input in NoSQL query


Using unsanitized data in NoSQL queries exposes your application to NoSQL injection attacks. This vulnerability arises when user input, request data, or any externally influenced data is directly passed into a NoSQL query function without proper sanitization.


  • Do not include raw, unsanitized user input in NoSQL queries. This practice can lead to NoSQL injection vulnerabilities.
      query = '{ "username": "' + unsafe_input + '" }'
    collection.findOne(query) # unsafe
  • Do use parameterized queries instead of concatenating strings. This ensures that you take advantage of any built-in input sanitization that your NoSQL client may offer.
      collection.findOne({ "username": unsafe_input });
  • Do sanitize and validate all input data before using it in NoSQL queries. Ensuring data is properly sanitized and validated can prevent NoSQL injection attacks. For example, you could parse external data as a string or convert the data into an appropriate BSON type.
      username = request.GET.get("username")
    collection.findOne({ "username": str(unsafe_input) });
    # or
    collection.findOne({ "uuid": bson.ObjectId(unsafe_input) })


Associated CWE


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_nosql_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_nosql_injection