36 lines
894 B
Plaintext
36 lines
894 B
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
In a MongoDB context, https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection[arbitrary Javascript code] can be executed with the ``$where`` operator for instance:
|
|
|
|
----
|
|
let username = req.query.username;
|
|
query = { $where: `this.username == '${username}'` }
|
|
User.find(query, function (err, users) {
|
|
if (err) {
|
|
// Handle errors
|
|
} else {
|
|
res.render('userlookup', { title: 'User Lookup', users: users });
|
|
}
|
|
});
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In a MongoDB context, don't use ``$where`` operator or validate the data:
|
|
|
|
----
|
|
let username = req.query.username;
|
|
query = { username: username }
|
|
User.find(query, function (err, users) {
|
|
if (err) {
|
|
// Handle errors
|
|
} else {
|
|
res.render('userlookup', { title: 'User Lookup', users: users });
|
|
}
|
|
});
|
|
----
|
|
|
|
include::../see.adoc[]
|