Question

48

JavaScript NoSQL Injection prevention in MongoDB

rated 0 times [ 53] [ 5] / answers: 1 / hits: 28395 / 12 Years ago, sun, november 18, 2012, 12:00:00

How can I prevent JavaScript NoSQL injections into MongoDB?

I am working on a Node.js application and I am passing req.body, which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

bradleymoisesy

Add To Favorites

Follow

Total Points: 121

Total Questions: 105

Total Answers: 95

Location: Nepal

Member since Mon, Jan 4, 2021

3 Years ago

bradleymoisesy questions

1 which data type to use to expect date value in jest

Wed, Dec 22, 21, 00:00, 2 Years ago

1 React/Next.js doesn't seem to work with Apexcharts

Tue, Jun 1, 21, 00:00, 3 Years ago

1 React chart : prevent chart's canvas scaling with height and width

Mon, Feb 1, 21, 00:00, 3 Years ago

1 How to create Create an Excel File with javascript?

Thu, Jun 11, 20, 00:00, 4 Years ago

1 How to create a search filter using Vue js from API Data?

Thu, Jan 16, 20, 00:00, 4 Years ago

View All

answered 12 Years ago georginat · Accepted Answer

Note
My answer is incorrect. Please refer to other answers.

--

As a client program assembles a query in MongoDB, it builds a BSON object,
not a string. Thus traditional SQL injection attacks are not a problem.

For details follow the documentation

UPDATE

Avoid expression like eval which can execute arbitrary JS. If you are taking input from user and running eval like expressions without cleaning the input you can screw up. As pointed by JoBu1324, operations like where, mapReduce and group permit to execute JS expressions directly.