10 lines
872 B
Plaintext
10 lines
872 B
Plaintext
==== Use only plain string values
|
|
|
|
With MongoDB, NoSQL injection can arise when attackers are able to inject objects in the query instead of plain string values. For example, using the object `{ $ne: "" }` in a field of a `find` query, will return every entry where the field is not empty.
|
|
|
|
Some JavaScript application servers enable "extended" syntax that serializes URL query parameters into JavaScript objects or arrays. This allows attackers to control all the fields of an object.
|
|
In express.js, this "extended" syntax https://expressjs.com/en/4x/api.html#express.urlencoded[is enabled by default].
|
|
|
|
Before using any untrusted value in a MongoDB query, make sure it is a plain string and not a JavaScript object or an array.
|
|
|
|
In some cases, this will not be enough to protect against all attacks and strict validation needs to be applied (see the "Pitfalls" section) |