NoSQLInjection.qhelp

<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

<overview>
  <p>
  Passing user-controlled sources into NoSQL queries can result in a NoSQL injection flaw.
  This tainted NoSQL query will then execute behavior on a NoSQL database like MongoDB that is non-intended by the developer.
  It is important to note that in order for the user-controlled source to act or be part of a NoSQL query requires the user-controller source to be converted into a Python object using something like <code>json.loads</code> or <code>xmltodict.parse</code>.
  </p>

  <p>
  Because a user-controlled source is directly injected into the query, the malicious user can have complete control over the query itself.
  When the query is executed they can commit different types of actions like bypassing role restrictions or accessing and modifying restricted data in the MongoDB database.
  </p>
</overview>

<recommendation>
  <p>
  NoSQL injections can be prevented by escaping user-input's special characters that are passed into the NoSQL query from the user-supplied source.
  Alternatively using a sanitize library such as MongoSanitizer will ensure that user-supplied sources can not act as a malicious query.
  </p>
<recommendation>

<example>
  <p>In the example below, the user-supplied source is passed to a MongoDB function that queries the MongoDB database.</p>
  <sample src="NoSQLInjection-Bad.py" />
  <p> This can be fixed by using a sanitizer library like MongoSanitizer as shown in this annotated code version below.</p>
  <sample src="NoSQLInjection-Good.py" />
<example>

<references>
  <li>OWASP: <a href="https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf">NoSQL Injection</a></li>
  <li>Security Stack Exchange Discussion: <a href="https://security.stackexchange.com/questions/83231/mongodb-nosql-injection-in-python-code">Question 83231</a></li>
</references>
</qhelp>