NoSQL JavaScript Injection via Untrusted Input in MongoDB $where Operator
Description
Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection, allowing attackers to inject malicious JavaScript code and potentially extract or modify sensitive data.
Examples
Insecure Code
javascript
db.collection.find({$where: "this.name = '" + req.query.name + "'"})Secure Code
javascript
const name = req.query.name; if (validateInput(name)) { db.collection.find({$where: `this.name = '${name}'`}) }Remediation
Validate and sanitize user input before passing it to the $where operator. Consider using a whitelist approach to only allow expected input formats.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0360 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-943 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | NoSQL Injection, JavaScript Injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |