Sampath Liyanage Sampath Liyanage - 3 months ago 22x
Node.js Question

mongodb injection possibility

I'm new to mongodb and I'm using this query in server side (node js),

collection.col.aggregate([{$match: req.body},
{$group: { _id: "$district", count: {$sum: 1}}}
res.render('postResults', {
"output" : docs

in the line
collection.col.aggregate([{$match: req.body}
I directly inject an object sent from the client side with

I want to know if this approach leads to a security vulnerability like sql injection. If yes, how serious is the vulnerability? Is it possible for an attacker to do operations other than read-only ones with this?

Thank you in advance..


Yes, you can inject a different query by changing req.body. For example, if you were looking up a specific crime, your req.body might look like { "_id" : "123456" }. But I could instead send { }. Then every document would match and the aggregation pipeline would process every document, which might be sufficient to cause performance problems. Since the aggregation pipeline never alters the original documents, you can't change the data, so it's a read-only attack but it could still be used to choke up your servers with collection scans and large-volume aggregation pipelines.