Python Nosql Injection Untrusted Input
Description
Detects potential NoSQL injection vulnerabilities where untrusted user input flows into PyMongo database queries. This vulnerability occurs when user-controlled data is directly passed to PyMongo query methods without proper sanitization, allowing attackers to manipulate database operations and potentially access or modify unauthorized data.
Detection Strategy
• Checks if PyMongo library is imported in the analyzed code
• Identifies calls to risky PyMongo query methods like find(), insert(), update(), delete()
• Examines the first argument of these method calls to determine if it contains user input
• Verifies if the user input is used without proper sanitization or validation
• Reports a vulnerability when unsanitized user input flows into PyMongo query methods
Vulnerable code example
from flask import Flask, request
from pymongo import MongoClient
client = MongoClient()
db = client.test_database
app = Flask(__name__)
@app.route('/login', methods=['POST'])...✅ Secure code example
from flask import Flask, request
from pymongo import MongoClient
client = MongoClient()
db = client.test_database
app = Flask(__name__)
@app.route('/login', methods=['POST'])...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.