CODEWITHSUNDEEP
springsql-injectionspring-data-mongodbnosql
user1002065
user1002065

Reputation: 615

spring for mongodb escaping parameters to avoid SQL injection

I am a new-by using spring with MongoDB.

I am using a Dao pattern which uses MongoOperations object.

As I have a lot of experience with RDBMS and JPA usually we use setParameter which also takes care for escaping and avoiding SQL injection.

I am wondering if there is such a think in spring for MongoDB. I could not find it but I might be missing something. I have to say I am still not sure if there is an SQL injection risk using Mongo.

Also, is there a way to create Named Queries in MongoDB?

Thank you all.

Upvotes: 4

Views: 5056

Answers (2)

Stephane L
Stephane L

Reputation: 3285

There is something very similar to SQL injection which is NOSQL injection.
The special characters are different but the concept is the same : the user can control/modify/corrupt the request.

Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax. Because these NoSQL injection attacks may execute within a procedural language , rather than in the declarative SQL language, the potential impacts are greater than traditional SQL injection

There is a way to verify, here is an OWASP page that would help you to test.

The basic is to verify that your requests correctly escape ' " \ ; { } and maybe more.

It seems that spring data mongodb correctly escapes those, but I have no idea if it is completely safe.

As for named query, I think this answer is correct and they don't exists but you still have a @Query annotation if you have a repository.

And because you are using a custom repository doesn't mean you can't use a repository interface too, Spring data allows you to have an implementation of the repostiroy without implementing it, see here.

Upvotes: 3

Maciej Walkowiak
Maciej Walkowiak

Reputation: 12932

There is no such thing as SQL injection in Mongo, since Mongo does not use SQL language at all.

There is no concept of named queries in Spring Data MongoDB, instead you use annotate your repository methods with @Query:

public interface PersonRepository extends MongoRepository<Person, String>

  @Query(value="{ 'firstname' : ?0 }", fields="{ 'firstname' : 1, 'lastname' : 1}")
  List<Person> findByThePersonsFirstname(String firstname);
}

Upvotes: -1

Related Questions