Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

JavaScript NoSQL Injection prevention in MongoDB

JavaScript NoSQL Injection prevention in MongoDB


How can I prevent Javascript Nosql injections into MongoDB?

I am working on a Node.js application and I am passing req.body, which is a json object, into the mongoose model's save function. I thought there were safeguards behind the scenes, but this doesn't appear to be the case.

Problem courtesy of: daniel


As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem.

For details follow the documentation


Avoid expression like eval which can execute arbitrary JS. If you are taking input from user and running eval like expressions without cleaning the input you can screw up. As pointed by JoBu1324, operations like where, mapReduce and group permit to execute JS expressions directly.

Solution courtesy of: Sushant Gupta


View additional discussion.

This post first appeared on Node.js Recipes, please read the originial post: here

Share the post

JavaScript NoSQL Injection prevention in MongoDB


Subscribe to Node.js Recipes

Get updates delivered right to your inbox!

Thank you for your subscription