Unsanitized input in NoSQL query

Overview

Rule ID: javascript_express_nosql_injection
Applicable Languages: Javascript
Weakness ID: CWE-943

Description

Using unsanitized data in NoSQL queries exposes your application to NoSQL injection attacks. This vulnerability occurs when user input, request data, or any externally influenced data is directly passed into a NoSQL query function without proper sanitization.

Remediation Guidelines

Do not include raw, unsanitized user input in NoSQL queries. This practice can lead to NoSQL injection vulnerabilities.
```
const User = require("../models/user");
const newUser = new User(req.body); // unsafe
```
Do sanitize all input data before using it in NoSQL queries. Ensuring data is properly sanitized can prevent NoSQL injection attacks.
```
const User = require("../models/user");

const username = req.params.username;
User.findOne({ name: username.toString() });
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized dynamic input in regular expression NextUnsanitized user input in 'eval' type function

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration