ajinabraham.njsscan.nosql_injection.node_nosqli_js_injection

rules:
  - id: node_nosqli_js_injection
    patterns:
      - pattern-either:
          - pattern: |
              $OBJ.$FUNC({$where: <... $REQ.$FOO.$BAR ...>}, ...)
          - pattern: |
              $OBJ.$FUNC({$where: <... $REQ.$QUERY ...>}, ...)
          - pattern: |
              $NSQL = <... $REQ.$QUERY.$...>;
              ...
              $OBJ.$FUNC({$where: <... $NSQL ...>}, ...)
          - pattern: |
              $NSQL = <... $REQ.$QUERY ...>;
              ...
              $OBJ.$FUNC({$where: <... $NSQL ...>}, ...)
          - pattern: |
              $INP = $REQ.$FOO.$BAR;
              ...
              $QRY = {$where: <... $INP ...>};
              ...
              $OBJ.$FUNC(<... $QRY ...>, ...)
          - pattern: |
              $INP = $REQ.$FOO;
              ...
              $QRY = {$where: <... $INP ...>};
              ...
              $OBJ.$FUNC(<... $QRY ...>, ...)
          - pattern: |
              $QRY["$where"] = <... $REQ.$FOO ...>;
              ...
              $OBJ.$FUNC(<... $QRY ...>, ...)
          - pattern: |
              $QRY["$where"] = <... $REQ.$FOO.$BAR ...>;
              ...
              $OBJ.$FUNC(<... $QRY ...>, ...)
          - pattern: |
              $INP = $REQ.$FOO;
              ...
              $QRY["$where"] = <... $INP ...>;
              ...
              $OBJ.$FUNC(<... $QRY ...>, ...)
          - pattern: |
              $INP = $REQ.$FOO.$BAR;
              ...
              $QRY["$where"] = <... $INP ...>;
              ...
              $OBJ.$FUNC(<... $QRY ...>, ...)
    message: Untrusted user input in MongoDB $where operator can result in NoSQL
      JavaScript Injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a1
      cwe: cwe-943
      license: LGPL-3.0-or-later