Mongoengine: [question] Is mongoengine secured against NoSQL injections?
ghost
>All comments
Not in particular. The surface area of attack differs greatly (Does everyone hate MongoDB? is an excellent article describing some of the self-inflicted foot shots) and if you do insecure things, insecurity happens. If one avoids potential security issues, then MongoDB itself is fairly resilient to injection-style attacks given it doesn't utilize a programming language (SQL, which tempts people into using sprintf for string interpolation / variable replacement…) to issue queries and instead relies on a "dumb" data description of the query.
The gotchas are $where (MongoDB) and structured form deserialization (web framework). Avoid them like the plague if you possibly can. Use of $where can allow JS code injection if not utilized extremely carefully. Additionally, if you allow form fields to define structure, this structure can be used to subvert the intent of the query. The example OWASP provide is that of username=tolkien&password=hobbit being sensible input, and username[$ne]=1&password[$ne]=1 input illustrating an exploit as this dramatically changes the meaning of the query. (In MongoEngine's case allowing user control over field names would similarly allow attackers to alter the query this way, e.g. username__ne=attacker&password__ne=1.) Of course, structured deserialization is primarily an issue for PHP, but there are Python frameworks that make use of it, too.
Overall, Security Intelligence has a nice summary and OWASP follow it up with things to test.
amcgregor
on 4 Feb 2019
Related issues
MaXXXXfeng
·
3Comments
BenCoDev
·
5Comments
MateuszBelczowski
·
4Comments
lanfon72
·
3Comments
nilay-gpt
·
4Comments
Most helpful comment
Not in particular. The surface area of attack differs greatly (Does everyone hate MongoDB? is an excellent article describing some of the self-inflicted foot shots) and if you do insecure things, insecurity happens. If one avoids potential security issues, then MongoDB itself is fairly resilient to injection-style attacks given it doesn't utilize a programming language (SQL, which tempts people into using
sprintffor string interpolation / variable replacement…) to issue queries and instead relies on a "dumb" data description of the query.The gotchas are
$where(MongoDB) and structured form deserialization (web framework). Avoid them like the plague if you possibly can. Use of$wherecan allow JS code injection if not utilized extremely carefully. Additionally, if you allow form fields to define structure, this structure can be used to subvert the intent of the query. The example OWASP provide is that ofusername=tolkien&password=hobbitbeing sensible input, andusername[$ne]=1&password[$ne]=1input illustrating an exploit as this dramatically changes the meaning of the query. (In MongoEngine's case allowing user control over field names would similarly allow attackers to alter the query this way, e.g.username__ne=attacker&password__ne=1.) Of course, structured deserialization is primarily an issue for PHP, but there are Python frameworks that make use of it, too.Overall, Security Intelligence has a nice summary and OWASP follow it up with things to test.