DEV Community 👩‍💻👨‍💻

Discussion on: One-step to prevent potential NoSQL Injection in your mongodb application

 
tbhaxor profile image
Gurkirat Singh Author

Please open an issue on the repository or share the code.

Thread Thread
 
hjrobinson profile image
hjrobinson

I used a bare bones approach just using the code from your example in the repo and there doesn't seem to be an issue so I think it's some sort of conflict with my existing code, another module, or something not being up to date. It's not a top priority for me to narrow down the problem right now but if I ever get back to it I'll post an issue in the repo.

Thread Thread
 
hjrobinson profile image
hjrobinson • Edited on

For the record your middleware code seems to do the trick without having to use the mongo-secure module. Without the middleware the password in my example would still be protected from injection because bcrypt.compareSync returns:

{
"message": "Illegal arguments: object, string"
}

However, if the attacker knew the password and not the email there would still be a threat so your middleware code still comes in handy for my use case. I don't know if the middleware will affect my other endpoints but I'm sure it will be revealed if it does. Thanks for the post.