Typescript Unsanitized Dollarwhere Query

Description

Detects potential NoSQL injection vulnerabilities where the $where operator in queries could be manipulated with unsanitized input. This is dangerous because malicious users can inject arbitrary JavaScript code through $where clauses, potentially leading to data exposure or manipulation.

Weakness:

106 - NoSQL injection

Category: Unexpected Injection

Detection Strategy

• Look for database query operations that use the $where operator in NoSQL queries

• Check if the $where clause value contains or is derived from external input

• Flag queries where the $where parameter value is not properly sanitized or validated before use

• Report a vulnerability if dynamic or user-controlled data can flow into $where clauses

Vulnerable code example

const MarsDB = require('marsdb');
const orders = new MarsDB.Collection('orders');

function processOrder(req) {
  const id = req.params.id;
  
  // Vulnerable: User input directly interpolated into $where query
  orders.find({ $where: `this.orderId === '${id}'` }).then(order => {...

✅ Secure code example

const MarsDB = require('marsdb');
const orders = new MarsDB.Collection('orders');

function processOrder(req) {
  // Sanitize id by removing special characters
  const id = String(req.params.id).replace(/[^\w-]+/g, '');
  
  // Safe: Using direct field comparison instead of $where...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.