User input used in MongoDB $where operator
Description
Non-literal input detected in a MongoDB query using the `$where` operator. This can lead to NoSQL injection vulnerabilities, as `$where` allows evaluation of JavaScript code.
Examples
Insecure Code
java
(com.mongodb.BasicDBObject Q).put("$where", request.getParameter("username"));Secure Code
java
collection.find(Filters.eq("username", request.getParameter("username")));Remediation
Use MongoDB's typed query APIs, such as `Filters.eq`, `Filters.gt`, etc., and sanitize or strictly control any input used in queries.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0006 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-943 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | nosql-injection, mongodb |
| OWASP | A03:2021-Injection |