ajinabraham.njsscan.nosql_find_injection.node_nosqli_injection
ajinabrahamAuthor
1,524
Download Count*
License
Untrusted user input in findOne() function can result in NoSQL Injection.
Run Locally
Run in CI
Defintion
rules:
- id: node_nosqli_injection
patterns:
- pattern-not-inside: |
$SANITIZE = require('mongo-sanitize')
...
$SANITIZE(...)
...
- pattern-not-inside: |
import $SANITIZE from 'mongo-sanitize'
...
$SANITIZE(...)
...
- pattern-either:
- pattern: |
$OBJ.findOne({$KEY : <... $REQ.$FOO.$BAR ...> }, ...)
- pattern: |
$OBJ.findOne({$KEY: <... $REQ.$FOO ...> }, ...)
- pattern: |
$INP = <... $REQ.$FOO.$BAR ...>;
...
$OBJ.findOne({$KEY : <... $INP ...> }, ...)
- pattern: |
$INP = <... $REQ.$FOO ...>;
...
$OBJ.findOne({$KEY: <... $INP ...> }, ...)
- pattern: |
$QUERY = {$KEY: <... $REQ.$FOO.$BAR ...>};
...
$OBJ.findOne($QUERY, ...)
- pattern: |
$QUERY = {$KEY: <... $REQ.$FOO ...>};
...
$OBJ.findOne($QUERY, ...)
- pattern: |
$INP = <... $REQ.$FOO.$BAR ...>;
...
$QUERY = {$KEY : <... $INP ...> };
...
$OBJ.findOne(<... $QUERY ...>, ...)
- pattern: |
$INP = <... $REQ.$FOO ...>;
...
$QUERY = {$KEY : <... $INP ...> };
...
$OBJ.findOne(<... $QUERY ...>, ...)
- pattern: |
$QUERY[$KEY] = <... $REQ.$FOO.$BAR ...>;
...
$OBJ.findOne($QUERY, ...)
- pattern: |
$QUERY[$KEY] = <... $REQ.$FOO ...>;
...
$OBJ.findOne($QUERY, ...)
- pattern: |
$INP = <... $REQ.$FOO.$BAR ...>;
...
$QUERY[$KEY] = <... $INP ...>;
...
$OBJ.findOne(<... $QUERY ...>, ...)
- pattern: |
$INP = <... $REQ.$FOO ...>;
...
$QUERY[$KEY] = <... $INP ...>;
...
$OBJ.findOne(<... $QUERY ...>, ...)
message: Untrusted user input in findOne() function can result in NoSQL Injection.
languages:
- javascript
severity: ERROR
metadata:
owasp-web: a1
cwe: cwe-943
license: LGPL-3.0-or-later
Short Link: https://sg.run/b7EP