contrib.nodejsscan.nosql_find_injection.node_nosqli_injection

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

Untrusted user input in findOne() function can result in NoSQL Injection.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: node_nosqli_injection
    patterns:
      - pattern-either:
          - pattern: |
              $OBJ.findOne({$KEY : <... $REQ.$FOO.$BAR ...> }, ...);
          - pattern: |
              $OBJ.findOne({$KEY: <... $REQ.$FOO ...> }, ...);
          - pattern: |
              $INP = <... $REQ.$FOO.$BAR ...>;
              ...
              $OBJ.findOne({$KEY : <... $INP ...> }, ...);
          - pattern: |
              $INP = <... $REQ.$FOO ...>;
              ...
              $OBJ.findOne({$KEY: <... $INP ...> }, ...);
          - pattern: |
              $QUERY = {$KEY: <... $REQ.$FOO.$BAR ...>};
              ...
              $OBJ.findOne($QUERY, ...);
          - pattern: |
              $QUERY = {$KEY: <... $REQ.$FOO ...>};
              ...
              $OBJ.findOne($QUERY, ...);
          - pattern: |
              $INP = <... $REQ.$FOO.$BAR ...>;
              ...
              $QUERY = {$KEY : <... $INP ...> };
              ...
              $OBJ.findOne(<... $QUERY  ...>, ...);
          - pattern: |
              $INP = <... $REQ.$FOO ...>;
              ...
              $QUERY = {$KEY : <... $INP ...> };
              ...
              $OBJ.findOne(<... $QUERY  ...>, ...);
          - pattern: |
              $QUERY[$KEY] = <... $REQ.$FOO.$BAR ...>;
              ...
              $OBJ.findOne($QUERY, ...);
          - pattern: |
              $QUERY[$KEY] = <... $REQ.$FOO ...>;
              ...
              $OBJ.findOne($QUERY, ...);
          - pattern: |
              $INP = <... $REQ.$FOO.$BAR ...>;
              ...
              $QUERY[$KEY] = <... $INP ...>;
              ...
              $OBJ.findOne(<... $QUERY  ...>, ...);
          - pattern: |
              $INP = <... $REQ.$FOO ...>;
              ...
              $QUERY[$KEY] = <... $INP ...>;
              ...
              $OBJ.findOne(<... $QUERY  ...>, ...);
    message: Untrusted user input in findOne() function can result in NoSQL Injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A01:2017 - Injection
      cwe: "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

nosql_find_injection.js



app.post('/smth', function (req, res) {
    var query = {};
    // ruleid:node_nosqli_injection
    query['email'] = req.body.email;
    User.findOne(query, function (err, data) {
        if (err) {
            res.send(err);
        } else if (data) {
            res.send('User Login Successful');
        } else {
            res.send('Wrong Username Password Combination');
        }
    })
});

app.post('/login', function (req, res) {
    // ruleid:node_nosqli_injection
    User.findOne({ 'email': req.body.email, 'password': req.body.password }, function (err, data) {
        if (err) {
            res.send(err);
        } else if (data) {
            res.send('User Login Successful');
        } else {
            res.send('Wrong Username Password Combination');
        }
    })
});