I'm trying to investigate if nosql injection is possible on Ruby on Rails with mongo and mongoid gems.
I did Mongodb's requests using Mongo::Client
collections and models with Mongoid::Document
inclusion.
I tried to pass some command characters like ' " \ ; { }
, but is was sanitaized. Passing GET search?title[$ne]=foo
was traited like {"title"=>"{\"$ne\"=>\"foo\"}"}
, so it don't seems like any problem here.
Is any nosql injection possible if I use ordinary methods of this technology stack?
Common operations including queries and inserts/updates in Mongoid sanitize their inputs, thus most times one does not need to worry about "nosql injection".
However, there are methods that pass commands directly to the database, and in those cases it is important to carefully consider whether unsanitized user input can end up as a database command. For example, if Post is a Mongoid model, one can run the following command to create an infinite loop in a MongoDB server:
Another example is
Database#command
method provided by the driver to run arbitrary database commands: http://api.mongodb.com/ruby/current/Mongo/Database.html#command-instance_method. If an application places user input into parameters given to this method, this creates potential for "nosql injection".Note also that it is not necessary to pass an unexpected command to the database - sometimes unexpected data is sufficient. See, for example, https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS. Assuming the Post model has a body field, passing an arbitrary regular expression from the user could be problematic: