Fixing NoSQL injection
NoSQL databases are a different type of database in which non-relational and semi-structured data is stored. There are many kinds of NoSQL databases to name, such as Cassandra, Redis, DynamoDB, and MongoDB, each with its own query language. Although distinct from one another, these queries are also prone to injection attacks.
In this recipe, we will identify the NoSQL injection vulnerability in code that is using MongoDB as the backend and fix the problem by applying several countermeasures.
Getting ready
Using Visual Studio Code, open the sample Online Banking app folder at Chapter02\nosql-injection\before\OnlineBankingApp
.
How to do it…
Let's take a look at the steps for this recipe:
- Launch Visual Studio Code and open the starting exercise folder by typing the following command:
code .
- Navigate to Terminal | New Terminal in the menu or simply press Ctrl + Shift + ' in Visual Studio Code.
- Type the following command in the terminal to build the sample app to confirm that there are no compilation errors:
dotnet build
- Open the
Services/PayeeService.cs
file and locate the vulnerable part of the code in theGet(string name)
method:public List<Payee> Get(string name) { var filter = "{$where: \"function() {return this.Name == '" + name + "'}\"}"; return payees.Find(filter).ToList(); }
- To remediate the NoSQL injection vulnerability, change the preceding highlighted code:
public List<Payee> Get(string name) { return payees.Find(payee => payee.Name == name).ToList(); }
The filter passed into the Find
method is now replaced with a Lambda expression, a much more secure way of searching for a payee by name.
How it works…
The Get
method has a string parameter that can be supplied with a non-sanitized or validated value. This value can alter the MongoDB filter composed with it, making the NoSQL database perform an unintended behavior.
The name
parameter can be appended with an expression that would evaluate the query into a logical result different from what the query was expected to perform. A JavaScript clause can also be inserted into a query that can terminate the statement and add a new block of arbitrary code.
By way of some general advice, avoid using the $where
operator. Simply apply a C# Lambda expression as a filter to prevent any injectable JSON or JavaScript expression.
There's more…
Suppose the preceding options are not possible and it is necessary to use the $where
clause, you must then JavaScript-encode the input. Use the JavaScriptEncoder
class from the System.Text.Encodings.Web
namespace to encode the value being passed into the parameter:
- First, modify the
PayeeService.cs
file to add a reference to theEncoder
namespace:using System.Text.Encodings.Web;
- Next, define a property for
JavaScriptEncoder
:private readonly JavaScriptEncoder _jsEncoder;
- Change the
PayeeService
constructor and add a new parameter to injectJavaScriptEncoder
:public PayeeService(IOnlineBankDatabaseSettings settings,JavaScriptEncoder jsEncoder)
- Lastly, encode the
name
parameter using theEncode
function ofJavaScriptEncoder
:var filter = "{$where: \"function() {return this.Name == '" + _jsEncoder.Encode(name) + "'}\"}";
If a malicious input was passed into the name
parameter and was escaped by the Encode
method, the C# MongoDB driver will throw an exception if the escaped value could not be interpreted as a valid JavaScript expression.
To prevent NoSQL injections, developers must avoid building dynamic queries using string concatenation. NoSQL databases offer ways to query and process data, but you must be aware of potential security implications a feature might bring into the ASP.NET Core web application.