DEV Community 👩‍💻👨‍💻

Discussion on: One-step to prevent potential NoSQL Injection in your mongodb application

hjrobinson profile image
hjrobinson

I used a bare bones approach just using the code from your example in the repo and there doesn't seem to be an issue so I think it's some sort of conflict with my existing code, another module, or something not being up to date. It's not a top priority for me to narrow down the problem right now but if I ever get back to it I'll post an issue in the repo.

Thread Thread
hjrobinson profile image
hjrobinson • Edited on

For the record your middleware code seems to do the trick without having to use the mongo-secure module. Without the middleware the password in my example would still be protected from injection because bcrypt.compareSync returns:

{
"message": "Illegal arguments: object, string"
}

However, if the attacker knew the password and not the email there would still be a threat so your middleware code still comes in handy for my use case. I don't know if the middleware will affect my other endpoints but I'm sure it will be revealed if it does. Thanks for the post.