Nosql injection

[Jesse]

I am in the process of building out a webapp on mongoose. Does the
query api... specifically find and find one automatically cleanse
query objects from nosql injection attacks? Is there any
"paramaterized" format that allows you to specify the query in a
format other than simply passing in query objects. My fear is that
doing something like

User.findOne({"name" : req.params.name, "password" :
req.params.password}, function(err, user){ return user;}); //possibly
open to nosql injection?

will allow users to injectoin something like

Usesr.findOne({"name" : "john", "password" : {$ne : 1}}, function(err,
user){ return user;}); //effectively selecting any john user with any
password (as long as it's not equal to 1)

If we need to cleans the query objects ourselves then I think it
should be made very apparent on the mongoose orm website and
everywhere in the docs. I think some people might be naive and think
that nosql solutions are somehow impervious to sql injection attacks.

see these docs:

http://erlend.oftedal.no/blog/?blogid=111

http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/

[Christopher Thorn]

I think you are safe... mongoose won't try to parse JSON, but will
instead treat it as it should, as a string.

[Aaron Heckmann]

Yes, Mongoose casts values according to their schema which in this example means casting {$ne: 1} as a string before executing the query.

-- Aaron

[Jesse Sanford]

Fantastic. Thank you.