If a dev adds $populate operator on the whitelist of service, will be vulnerable to NoSQL injection. So will be extremely important to add a security suggestion to the docs on how to handle this.
// As object
{
"$populate[0]": {
"path": "users",
"select": "email password"
}
}
// Full query string parameters
api.example.com/posts?%24populate%5B0%5D%5Bpath%5D=users&%24populate%5B0%5D%5Bselect%5D=email%20password
Solution
Patch the $populate operator allowing only as string.
// Before needs to verify if the query request contains $populate operator
const isNoSQLInjection = context.params.query.$populate.some(populate => typeof populate !== 'string');
if (isNoSQLInjection) throw new Forbidden('$populate operator as object is not allowed.');
If a dev adds
$populateoperator on the whitelist of service, will be vulnerable to NoSQL injection. So will be extremely important to add a security suggestion to the docs on how to handle this.Mongoose reference documentation.
Example NoSQL
$populateinjectionSolution
Patch the
$populateoperator allowing only asstring.