NoSQL injection High

Use of user-provided input that is not properly sanitized can lead to injection attacks. Injection of JSON code into an application can enable injection attacks against a NoSQL database.

Detector ID
typescript/nosql-injection@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1import * as AWS from 'aws-sdk'
2import express, {Request, Response} from 'express'
3var app = express()
4function noSqlInjectionNoncompliant() {
5    app.get('/api/getallusers', function(req: Request, res: Response) {
6        var docClient = new AWS.DynamoDB.DocumentClient({region: "us-east-1"});
7        var params= req.body.params
8        // Noncompliant: external user input can be vulnerable to injection attacks.
9        docClient.scan(params, function(err: any, data: { Items: any[]; }) {
10            if (err) {
11                console.log("Error", err)
12            } else {
13                data.Items.forEach(function(element: { Title: { S: string; }; Subtitle: { S: string; }; }, index: any, array: any) {
14                    console.log(element.Title.S + " (" + element.Subtitle.S + ")")
15                })
16            }
17        })
18    })
19}

Compliant example

1import * as AWS from 'aws-sdk'
2import express, {Request, Response} from 'express'
3var app = express()
4function noSqlInjectionCompliant() {
5    app.get('/api/getallusers', function (req: Request, res: Response) {
6        var docClient = new AWS.DynamoDB.DocumentClient({region: "us-east-1"});
7        var params = {
8            TableName: "dynamodb-example-node",
9            ProjectionExpression: "user_id, username, user_age",
10        }
11        // Compliant: should not use external input in `scan` API.
12        docClient.scan(params, function (err: any, data: { Items: any; }) {
13            if (err) {
14                console.log(err)
15            } else {
16                res.status(200).json({ "status": 1, "message": "user exists", "data": data.Items })
17            }
18        })
19    })
20}