Do I need to sanitize user input before pasting into MongoDB (MongoDB + Node js combo)

Question

Do I need to sanitize user input before pasting into MongoDB (MongoDB + Node js combo)

I am using MongoDB with NodeJS, and I am wondering if data needs to be sanitized before inserting / updating database documents. Its hard to find a definite answer, and I'm wondering if there are any Node modules that do this nicely, or do I need to strip all occurrences of lines into lines, or just don't have to worry about it. I know that PHP has holes, but I'm using the Node / Mongo (native driver) command, but still not sure if I need to do user input cleanup.

+5

node.js mongodb

spirytus Jun 01 '15 at 23:54

source share

2 answers

Tim · Answer 1 · 2015-06-02T02:39:14+0000

If you store your data as a String, and you don't parse it to execute the Mongo command, then there is nothing to worry about.

Good security article

http://cr.yp.to/qmail/guarantee.html

The only problem arises when you retrieve user input and you analyze that input to execute the Mongo command, here you need to take care to clear the input, otherwise you will get an attack.

There is an npm package for this.

https://www.npmjs.com/package/mongo-sanitize

and a good article about it too

https://thecodebarbarian.wordpress.com/2014/09/04/defending-against-query-selector-injection-attacks/

efkan · Answer 2 · 2015-08-12T09:00:08+0000

Yes Yes. For more information check this out; https://www.npmjs.com/package/content-filter

Also, a private escape() method can be used to protect the database.

Follow the code snippet below to see the results.

 let a = "{$gt:25}" console.log(a) console.log(escape(a))

Do I need to sanitize user input before pasting into MongoDB (MongoDB + Node js combo)

More articles: