CODEWITHSUNDEEP
javascriptnode.jsmongodbsecurity
Sampath Liyanage
Sampath Liyanage

Reputation: 4896

mongodb injection possibility

I'm new to mongodb and I'm using this query in server side (node js),

collection.find({},function(e,crimes){
    collection.col.aggregate([{$match: req.body},
      {$group: { _id: "$district",  count: {$sum: 1}}}
    ],function(e,docs){
        console.log(docs);
        res.render('postResults', {
            "output" : docs
        });
   });
});

in the line collection.col.aggregate([{$match: req.body} I directly inject an object sent from the client side with req.body.

I want to know if this approach leads to a security vulnerability like sql injection. If yes, how serious is the vulnerability? Is it possible for an attacker to do operations other than read-only ones with this?

Thank you in advance..

Upvotes: 1

Views: 3009

Answers (3)

efkan
efkan

Reputation: 13217

You might check these out to learn the issue;

  1. https://www.owasp.org/index.php/Testing_for_NoSQL_injection
  2. http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html

Solutions;

  1. Don't use a function with a $where operator if the users interact with MongoDB.
  2. There are some tools to prevent the injection issues;
    https://www.npmjs.com/package/content-filter
    https://www.npmjs.com/package/mongo-sanitize
  3. Be aware of CSRF

Good luck.

Upvotes: 2

wdberkeley
wdberkeley

Reputation: 11671

Yes, you can inject a different query by changing req.body. For example, if you were looking up a specific crime, your req.body might look like { "_id" : "123456" }. But I could instead send { }. Then every document would match and the aggregation pipeline would process every document, which might be sufficient to cause performance problems. Since the aggregation pipeline never alters the original documents, you can't change the data, so it's a read-only attack but it could still be used to choke up your servers with collection scans and large-volume aggregation pipelines.

Upvotes: 1

unobf
unobf

Reputation: 7244

The answer is "No", this does not cause any Query injection issues because your Node.js server has already turned the HTTP request into a JSON object and therefore any data entered by the user is a JavaScript string that is part of this JSON object. You are not concatenating strings like you might do in other languages that make them vulnerable to SQL injection attacks.

Upvotes: 0

Related Questions