The MongoDB Apocalypse cruelly reminded to MongoDB users that security should be a major concerns. But configuration is not the only weak spot in MongoDB's armor. Here is the second article of our series on MongoDB injections.
Recently, we introduced you to a kind of injections in applications that use MongoDB (especially the ones based on Node.js/Express). As the risks linked to such attacks are very high the legitimate follow-up question is "How can one protect an application against this kind of NoSQL injections ?".
In this article, we will see how data validation can be used to prevent object injections in MongoDB queries.
The injections we referred to in the last article are based on object injection: if the attacker is able to have an object injected where a string is expected he can be able to forge a malicious MongoDB query.
Using data validation will ensure that the request's parameters will be correctly formatted and typed.
Manual Data validation
The code of the controller is:
In our example, we could add a data-validation middleware to check the format of the request's body:
This middleware has to be inserted before the controller we wrote sooner. This solution, while being very clear, can easily bloat your codebase. You will have to test and maintain more and more code when your data models become more and more complex.
Using a library
I would recommend using a library to do this heavy lifting, for example Joi. There is even a nice middleware to help you using Joi with express. It is named Celebrate and is maintained by some of the best Node.js developers I know.
The validation middleware would then look like that:
One problem with validation libraries, though, is that the design of complex models can become very tricky.
If you spend enough time designing and debugging your data validation, both solutions should work fine.
The only thing we can say for sure is that the attack surface is reduced which means the risk is lowered. However:
- Data validation must be as precise as possible to be truly effective
- Other vulnerabilities can exist in the app (XSS, code injections, shell injections, regular SQL injections for instance)
Maintaining a data validation layer on every endpoint of an application can be very painful and time-consuming.
At Sqreen, we believe developers should be able to focus on developing their applications without having to constantly fear for security. We also believe developers deserve security tools that look like the other tools they use every day.
Sqreen will block attacks in your application (including NoSQL injections, SQL injections or XSS) without you having to take any action or to change your code. The best thing is that Sqreen takes literally 30 seconds to install in a Node.js application. In a future article, we will introduce the algorithm used by Sqreen to detect NoSQL injections.