I'm using MongoDB with NodeJS and am wondering if I need to sanitize data before inserting/updating database documents. Its hard to find definite answer and I'm wondering if there are any Node modules that do it nicely or I need to strip all occurences of $ in strings or simply no need to worry about this. I know that PHP has holes but I'm using Node/Mongo (native driver) combo but still not sure if I need to do any cleaning of user input.
Add a comment
|
2 Answers
If you store your data as String and you are not parsing it to execute Mongo command, then there is nothing much to worry about it.
Nice article on security
http://cr.yp.to/qmail/guarantee.html
The only problem occurs when you are retrieving the user input, and you parse that input to execute the Mongo command, here you will need to take care to sanitize the input, or else you will get attack.
There is a npm package to do that for you
https://www.npmjs.com/package/mongo-sanitize
and nice article on this too
1 Comment
Anna
If the request body is a json object, if we just insert that json object inside a update/insert query without sanitizing, what can go wrong? One i can imagine as the schema can get wrong. But what else as a security standpoint?
Yes, you do. For more information check this out; https://www.npmjs.com/package/content-filter
Also native escape() method might be used for to protect the database.
Run the code snippet below to see the results.
let a = "{$gt:25}"
console.log(a)
console.log(escape(a))