daniel daniel - 4 months ago 77
Node.js Question

JavaScript NoSQL Injection prevention in MongoDB

How can I prevent JavaScript NoSQL injections into MongoDB?

I am working on a Node.js application and I am passing

req.body
, which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case.

Answer

As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem.

For details follow the documentation

UPDATE

Avoid expression like eval which can execute arbitrary JS. If you are taking input from user and running eval like expressions without cleaning the input you can screw up. As pointed by JoBu1324, operations like where, mapReduce and group permit to execute JS expressions directly.

Comments