Continued MongoDB breaches have cruelly reminded MongoDB users that security should be a major concern. But configuration is not the only weak spot in MongoDB’s armor. Here is the second article of our series on MongoDB injections.
In an earlier post, we introduced you to a kind of injection in applications that use MongoDB (especially the ones based on Node.js/Express). As the risks linked to such attacks are very high, the legitimate follow-up question is “How can one protect an application against this kind of NoSQL injection?”
In this article, we will see how data validation can be used to prevent object injections in MongoDB queries.
How do you prevent NoSQL injections with data validation?
The injections we referred to in the last article are based on object injection: if the attacker is able to have an object injected where a string is expected, they can forge a malicious MongoDB query.
Using data validation will ensure that the request’s parameters will be correctly formatted and typed.
Manual Data validation
The code of the controller is:
In our example, we could add a data validation middleware to check the format of the request’s body:
This middleware has to be inserted before the controller we wrote earlier. This solution, while being very clear, can easily bloat your codebase. You will have to test and maintain more and more code when your data models become more and more complex.
Using a library
I would recommend using a library to do this heavy lifting, for example Joi. There is even a nice middleware to help you using Joi with express. It is named Celebrate and is maintained by some of the best Node.js developers I know.
The validation middleware would then look like this:
One problem with validation libraries, though, is that the design of complex models can become very tricky.
If you spend enough time designing and debugging your data validation, both solutions should work fine.
Is an application safe if every user request is validated with Joi?
The only thing we can say for sure is that the attack surface is reduced, which means the risk of NoSQL injections is lowered. However:
- Data validation must be as precise as possible to be truly effective
- Other vulnerabilities can exist in the app (XSS, code injections, shell injections, and regular SQL injections for instance)
Hackers will always find new ways to attack web applications. This is a continuous race to stay one step forward. Security is not a part-time job!
How do you protect yourself without pain?
Maintaining a data validation layer on every endpoint of an application can be very painful and time-consuming.
At Sqreen, we believe security should be straightforward and something that both developers and security teams can leverage and get value out of.
Sqreen will block attacks in your application (including NoSQL injections, SQL injections, and XSS) without you having to take any action or change your code. The best thing is that Sqreen takes literally 30 seconds to install in a Node.js application. In a future article, we will introduce the algorithm used by Sqreen to detect NoSQL injections.