JavaScript NoSQL Injection prevention in MongoDB
How can I prevent JavaScript NoSQL injections into MongoDB?
I am working on a Node.js application and I am passing req.body, which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case.
Answer
Sushant's answer is not correct. You need to be aware of NoSQL injection in MongoDB.
Example (taken from here)
User.findOne({
"name" : req.params.name,
"password" : req.params.password
}, callback);
If req.params.password is { $ne: 1 }, the user will be retrieved without knowing the password ($ne means not equals 1).
MongoDB Driver
You can use mongo-sanitize:
It will strip out any keys that start with '$' in the input, so you can pass it to MongoDB without worrying about malicious users overwriting.
var sanitize = require('mongo-sanitize');
var name = sanitize(req.params.name);
var password = sanitize(req.params.password);
User.findOne({
"name" : name,
"password" : password
}, callback);
Mongoose Driver
As it follows a schema, if the password is a string field, it will convert the object { $ne: 1 } to string and no damage will be done. In this case, you don't need to sanitize, just remember to set a proper schema.