# Unsanitized input in NoSQL query

## Overview

* **Rule ID**: `javascript_express_nosql_injection`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-943

## Description

Using unsanitized data in NoSQL queries exposes your application to NoSQL injection attacks. This vulnerability occurs when user input, request data, or any externally influenced data is directly passed into a NoSQL query function without proper sanitization.

## Remediation Guidelines

* **Do not** include raw, unsanitized user input in NoSQL queries. This practice can lead to NoSQL injection vulnerabilities.

  ```javascript
  const User = require("../models/user");
  const newUser = new User(req.body); // unsafe

  ```
* **Do sanitize** all input data before using it in NoSQL queries. Ensuring data is properly sanitized can prevent NoSQL injection attacks.

  ```javascript
  const User = require("../models/user");

  const username = req.params.username;
  User.findOne({ name: username.toString() });
  ```

## References

* [**OWASP NoSQL injection explained**](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
* [**CWE-943: Improper Neutralization of Special Elements in Data Query Logic**](https://cwe.mitre.org/data/definitions/943.html)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)