NoSQL Injection

Need

To prevent unauthorized data access and manipulation through NoSQL Injection attacks

Context

Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
Usage of MongoDB driver for interacting with MongoDB database

Description

Non compliant code

defmodule MyAppWeb.PageController do
  use MyAppWeb, :controller

  def show(conn, %{"id" => id}) do
    page = Mongo.find(:mongo, "pages", %{"_id" => id}) |> Enum.to_list()
    json(conn, page)
  end
end

In this insecure code, the Elixir/Phoenix application accepts an ID from user input and uses it directly in a MongoDB query. This can be exploited for a NoSQL Injection attack, leading to unauthorized data access or manipulation.

Steps

Don't use user input directly in NoSQL queries.
Sanitize user input before using it in a query.
Use parameterized queries or prepared statements if available.

Compliant code

defmodule MyAppWeb.PageController do
  use MyAppWeb, :controller

  def show(conn, %{"id" => id}) do
    id = String.replace(id, "$", "") |> String.replace(".", "")
    page = Mongo.find(:mongo, "pages", %{"_id" => id}) |> Enum.to_list()
    json(conn, page)
  end
end

In this secure code, the application now sanitizes the user input by replacing potential NoSQL Injection attack characters '$' and '.'. The sanitized input is then used in the MongoDB query.

References

106.NoSQL injection

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​