Reputation: 1942
Can injection still be an issue if all the database operations are done through Mongoose?
Learning the basics of MongoDB, I read that MongoDB is vulnerable to injection attacks out-of-the-box. In node, this can be prevented using the help of the module mongo-sanitize. So far, so good. Now let's add Mongoose to the equation.
If we are using Mongoose
- Do we still need to sanitize MongoDB inputs? Should we still use mongo-sanitize along with Mongoose?
- Does Mongoose offer any explicit injection protection at all, or does the protection come from enforcing types in schemas and models?
I remember reading that Mongoose can prevent injections to some extent, but I don't know the specifics, or if it is redundant to sanitize against Mongoose.
Upvotes: 4
Views: 492
Answers (1)
Reputation: 4057
Like the article mentioned the problem arises when the users doesn't send a string like
'bergur' and 'myawesomepassword' but instead sends {"$ne": null} for usernames and passwords.
If you create a schema and define username and password as strings, then Mongoose will convert it to string and you avoid the problem.
Regarding the where injection, mongo-sanitize wouldn't help you there. The solution is simply not to ever use the $where operator
So to simply answer your question:
- No you don't need to use mongo-sanitize
- No explicit injection protection, the protection comes from schemas and models.
Upvotes: 3
Related Questions
- JavaScript NoSQL Injection prevention in MongoDB
- Is MongoDB database vulnerable to malicious npm packages?
- Mitigating MongoDB injection attacks with Mongoose
- MongoDB injection attack
- Mongoose and Query Injection when using Javascript?
- Mongodb security in node.js
- Will this create any security exploit?
- MongoDB injection attack prevention
- mongodb injection possibility
- Mongo db security