DEV Community 👩‍💻👨‍💻

Discussion on: One-step to prevent potential NoSQL Injection in your mongodb application

Collapse
 
tbhaxor profile image
Gurkirat Singh Author

Read this blog again, you will find that it works only on the insertion query. I have a solution for find and findOne queries

Collapse
 
hjrobinson profile image
hjrobinson

Oh yeah. You're right.

Thread Thread
 
hjrobinson profile image
hjrobinson • Edited on

If I'm using a module like bcryptjs to make a comparison between passwords would this even matter because I'm not passing in a password to match against directly? It seems like the not equals thing wouldn't matter in this case. Of course not everyone is going to be using bcryptjs.

dev-to-uploads.s3.amazonaws.com/i/...

Thread Thread
 
tbhaxor profile image
Gurkirat Singh Author

While using this module, you would have to pass the replaceWith string. This will replace the nested object that exceeds the limit with that string.

Read the usage here: npmjs.com/package/@tbhaxor/mongo-s...

Thread Thread
 
hjrobinson profile image
hjrobinson

I've imported the module and followed the instructions but I get this error:

TypeError: mongoSecure is not a function

Thread Thread
 
tbhaxor profile image
Gurkirat Singh Author

Please open an issue on the repository or share the code.

Thread Thread
 
hjrobinson profile image
hjrobinson

I used a bare bones approach just using the code from your example in the repo and there doesn't seem to be an issue so I think it's some sort of conflict with my existing code, another module, or something not being up to date. It's not a top priority for me to narrow down the problem right now but if I ever get back to it I'll post an issue in the repo.

Thread Thread
 
hjrobinson profile image
hjrobinson • Edited on

For the record your middleware code seems to do the trick without having to use the mongo-secure module. Without the middleware the password in my example would still be protected from injection because bcrypt.compareSync returns:

{
"message": "Illegal arguments: object, string"
}

However, if the attacker knew the password and not the email there would still be a threat so your middleware code still comes in handy for my use case. I don't know if the middleware will affect my other endpoints but I'm sure it will be revealed if it does. Thanks for the post.