Recipe Name:
MongoDB: _id NoSQL Injection
Description:
Do not use string concatenation in where filters
Level:
error
Language:
  • java
Tags:
  • security
  • NoSQL
  • framework specific
  • MongoDB
  • injection
  • OWASP Top 10
Documentation

Secure coding practices prescribe that the use string concatenation in where filters should be avoided. Use parameterized queries

When using concatenation with the where operator, adversaries can bypass restrictions and manipulate or access sensitive data.

Before:
Object result = collection.find(where("this._id == '" + userInput + "'")).first();
After:
Object challenge = collection.find(Filters.eq("_id", new ObjectId(userInput))).first();
Recipe
id: scw:db:mongo:id-injection
version: 10
metadata:
  name: 'MongoDB: _id NoSQL Injection'
  shortDescription: Do not use string concatenation in where filters
  level: error
  language: java
  enabled: true
  descriptionFile: descriptions/MongoDB_idNoSQLInjection.html
  tags: security;NoSQL;framework specific;MongoDB;injection;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
          stringified:
            matches: this._id.==.*
    name: where
    declaration:
      type: com.mongodb.client.model.Filters
availableFixes:
- name: Use eq() with ObjectId
  actions:
  - rewrite:
      to: com.mongodb.client.model.Filters.eq("_id", new ObjectId({{{ arguments.0.operands.1 }}}))