MongoDB: _id NoSQL Injection :: Recipe Details

Recipe Name:

MongoDB: _id NoSQL Injection

Description:

Do not use string concatenation in where filters

Level:

error

Language:

java

Tags:

security
NoSQL
framework specific
MongoDB
injection
OWASP Top 10

Documentation

Secure coding practices prescribe that the use string concatenation in where filters should be avoided. Use parameterized queries

When using concatenation with the where operator, adversaries can bypass restrictions and manipulate or access sensitive data.

Before:

Object result = collection.find(where("this._id == '" + userInput + "'")).first();

After:

Object challenge = collection.find(Filters.eq("_id", new ObjectId(userInput))).first();

Recipe

id: scw:db:mongo:id-injection
version: 10
metadata:
  name: 'MongoDB: _id NoSQL Injection'
  shortDescription: Do not use string concatenation in where filters
  level: error
  language: java
  enabled: true
  descriptionFile: descriptions/MongoDB_idNoSQLInjection.html
  tags: security;NoSQL;framework specific;MongoDB;injection;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
          stringified:
            matches: this._id.==.*
    name: where
    declaration:
      type: com.mongodb.client.model.Filters
availableFixes:
- name: Use eq() with ObjectId
  actions:
  - rewrite:
      to: com.mongodb.client.model.Filters.eq("_id", new ObjectId({{{ arguments.0.operands.1 }}}))