- Security risk: High (CVSS: 7.1)
- Vulnerability:
loopback-connector-mongodb
allows NoSQL Injections
Description
MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where
property to be passed to the MongoDB Driver. The Driver allows the special $where
property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).
An example malicious query:
GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}
The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello
.
The Fix
The connector now sanitizes all queries passed to the MongoDB Driver by default and deletes the $where
and mapReduce
properties. If you need to use these properties from within LoopBack programatically, you can disable the sanitization by passing in an options
object with disableSanitization
property set to true
.
Example:
Post.find(
{where: {$where: 'function() { /*dangerous function here*/}'}},
{disableSanitization: true},
(err, p) => {
// code to handle results / error.
}
);
Reported by
@NelsonBrandao via GitHub Issue #403
Versions affected
loopback-connector-mongodb
version 3.5.0 and below
Solution
Upgrade to loopback-connector-mongodb
3.6.0 or later if your repository is using an outdated package.
Ensure that your application’s package.json
has the following line:
"dependencies": {
...
"loopback-connector-mongodb": "^3.6.0",
...
},
Then upgrade your project dependencies to use the latest version :
$ cd <app-root>
$ npm update