search

celeroncoder / notary-API

Notes App with NestJS-Typescript, MongoDB.
MIT License
2 stars 1 forks source link

Database query built from user-controlled sources #27

Closed celeroncoder closed 3 years ago

celeroncoder commented 3 years ago

Description

Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user. If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.

Instances

Expected behaviour

Database Query must be sanitized before being passed.

References

  1. Wikipedia: SQL injection.
  2. MongoDB: $eq operator.
  3. Common Weakness Enumeration: CWE-89.
celeroncoder commented 3 years ago

Recommendation

For NoSQL queries, make use of an operator like MongoDB's $eq to ensure that untrusted data is interpreted as a literal value and not as a query object.