Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How can I prevent JavaScript NoSQL injections into MongoDB?
I am working on a Node.js application and I am passing req.body, which is a json object, into the mongoose model’s save function. I thought there were safeguards behind the scenes, but this doesn’t appear to be the case.
Note
My answer is incorrect. Please refer to other answers.
—
As a client program assembles a query in MongoDB, it builds a BSON object,
not a string. Thus traditional SQL injection attacks are not a problem.
For details follow the documentation
UPDATE
Avoid expression like
evalwhich can execute arbitrary JS. If you are taking input from user and runningevallike expressions without cleaning the input you can screw up. As pointed by JoBu1324, operations likewhere,mapReduceandgrouppermit to execute JS expressions directly.