NoSQL Injection - Elixir

NoSQL Injection - Elixir

Need

To prevent unauthorized data access and manipulation through NoSQL Injection attacks

Context

  • Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
  • Usage of MongoDB driver for interacting with MongoDB database

Description

Non compliant code

        defmodule MyAppWeb.PageController do
  use MyAppWeb, :controller

  def show(conn, %{"id" => id}) do
    page = Mongo.find(:mongo, "pages", %{"_id" => id}) |> Enum.to_list()
    json(conn, page)
  end
end

In this insecure code, the Elixir/Phoenix application accepts an ID from user input and uses it directly in a MongoDB query. This can be exploited for a NoSQL Injection attack, leading to unauthorized data access or manipulation.

Steps

  • Don't use user input directly in NoSQL queries.
  • Sanitize user input before using it in a query.
  • Use parameterized queries or prepared statements if available.

Compliant code

        defmodule MyAppWeb.PageController do
  use MyAppWeb, :controller

  def show(conn, %{"id" => id}) do
    id = String.replace(id, "$", "") |> String.replace(".", "")
    page = Mongo.find(:mongo, "pages", %{"_id" => id}) |> Enum.to_list()
    json(conn, page)
  end
end

In this secure code, the application now sanitizes the user input by replacing potential NoSQL Injection attack characters '$' and '.'. The sanitized input is then used in the MongoDB query.

References