NoSQLInjection.qhelp

<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

<overview>
  <p>
  Passing user-controlled sources into NoSQL queries can result in a NoSQL injection flaw.
  This tainted NoSQL query will then execute behavior on a NoSQL database like MongoDB that is non-intended by the developer.
  It is important to note that in order for the user-controlled source to act or be part of a NoSQL query requires the user-controller source to be converted into a Python object using something like <code>json.loads</code> or <code>xmltodict.parse</code>.
  </p>

  <p>
  Because a user-controlled source is directly injected into the query, the malicious user can have complete control over the query itself.
  When the query is executed they can commit different types of actions like bypass role restrictions or access and modify restricted data in the MongoDB database.
  </p>
</overview>

<recommendation>
  <p>
  NoSQL injection can be prevented by escaping the user input of special characters that is passed into the NoSQL query.
  Alternatively using a sanitize library such as MongoSanitizer to sanitize user input will ensure that users who attempt to construct malicious queries in the user-supplied source is not executed.
  </p>
<recommendation>

<example>
  <p>In the example below, the user-supplied source is passed to a MongoDB function that queries the MongoDB database.</p>
  <sample src="NoSQLInjection-Bad.py" />
  <p> This can be fixed by using a sanitizer library like MongoSanitizer as shown in this annotated code version below.</p>
  <sample src="NoSQLInjection-Good.py" />
<example>

<references>
  <li>OWASP NoSQL injection : <a href="https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf"></a>/>> </li>
  <li>Security Stack Exchange Discussion : <a href="https://security.stackexchange.com/questions/83231/mongodb-nosql-injection-in-python-code"></a>/>> </li>

</references>
</qhelp>