Unsanitized input in NoSQL query

Overview

• Rule ID: javascript_express_nosql_injection

• Applicable Languages: Javascript

• Weakness ID: CWE-943

Description

Using unsanitized data in NoSQL queries exposes your application to NoSQL injection attacks. This vulnerability occurs when user input, request data, or any externally influenced data is directly passed into a NoSQL query function without proper sanitization.

Remediation Guidelines

• Do not include raw, unsanitized user input in NoSQL queries. This practice can lead to NoSQL injection vulnerabilities.

  Copy

  const User = require("../models/user");
  const newUser = new User(req.body); // unsafe
  

• Do sanitize all input data before using it in NoSQL queries. Ensuring data is properly sanitized can prevent NoSQL injection attacks.

  Copy

  const User = require("../models/user");
  
  const username = req.params.username;
  User.findOne({ name: username.toString() });

References

• OWASP NoSQL injection explained

• CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL