# NoSQL Injection

**NoSQL injection** is a type of *injection attack*. Injection attacks occur when maliciously crafted inputs are submitted by an attacker, causing an application to perform an unintended action. In a NoSQL injection attack, untrusted input from the HTTP request or frontend is inserted into command to be run against a NoSQL database insecurely. This allows an attacker to run arbitrary commands on the database, meaning they can steal and manipulate sensitive data, or inject other malicious code that can be used to escalate their attack.

NoSQL databases like MongoDB, Couchbase, Cassandra and HBase relax some constraints traditionally associated with relational databases to achieve allow flexible, scalable storage. Each database engine has a query language or programmatic interface that allows applications to access and manipulate data within the database. These data access operations are usually executed using parameters from an HTTP request. You should make sure to pass these parameters to your database securely, so attackers cannot inject extra statements or change the logic of an existing statement.

## NoSQL Injection in Python

Each of the major NoSQL databases has an SDK that allows you safely update or read data. Most of these SDKs have some sort of binding mechanism – some are illustrated below.

### MongoDB

“`python
from pymongo import MongoClientdef update_user_location(email, city, zip):
client = MongoClient(MONGO_CONNECTION_STRING)
database = client.database
users = database.users

# Update the city and zip code for the user with a given email address. Make sure
# the field names for the “filter” and “update” arguments, and operators such as “$set”, are
# defined in code (rather than taken from an untrusted source) to shut out the
# possibility of injection attacks.
users.find_one_and_update(
{ “email”, email },
{ “$set” : {
“city” : city,
“zip” : zip,
}
}
)

# Try to avoid using the low-level command(…) function. If you do, make sure
# *not* to construct command strings from untrusted input, as illustrated here:
database.command(
‘{ find: “users”, “filter” : { “email” : “‘ + email + ‘” }’
)
“`

### CouchBase

“`python
from couchbase.cluster import Cluster
from couchbase.auth import PasswordAuthenticatordef update_user_location(email, city, zip):
cluster = Cluster(COUCHBASE_CONNECTION_STRING, authenticator=PasswordAuthenticator(COUCHBASE_USERNAME, COUCHBASE_PASSWORD))
bucket = cluster.bucket(‘bucket’)
users = bucket.collection(‘users’)

# Update the city and zip code for the user with a given email address – assuming that
# records are indexed by email address. Make sure field names in the update dictionary
# are taken from a trusted source, or at least checked against an allow-list.
users.upsert(
email,
dict(city=city, zip=zip)
)

# Couchbase also allows look up of records via the N1QL query language. If you use this
# functionality, make sure to use bind parameters:
cluster.query(“select * from bucket.scope.users where email = $email”, email=email)
cluster.query(“select * from bucket.scope.users where email = $1”, email)
“`

### Cassandra

“`python
from cassandra.cluster import Clusterdef update_user_location(email, city, zip):
cluster = Cluster(CASSANDRA_CONNECTION_STRING)
session = cluster.connect()

# Update the city and zip code for the user with a given email address – using
# bind parameters to protect ourselves from injection attacks.
prepared = session.prepare(“update users set city = ? and zip = ? where email = ?”)

session.execute(prepared, [ city, zip, email ])
“`

### Hbase

“`python
import happybasedef update_user_location(email, city, zip):
connection = happybase.Connection(HBASE_CONNECTION_STRING)
table = connection.table(“users”)

# Update the city and zip code for the user with a given email address – assuming that
# each row key is generated from the email address. Providing the family and qualifier
# for the column names are taken from a trusted source – or checked against an allow-list –
# you are protected from injection attacks.
table.put(email, { b’main:city’: city, b’main:zip’: zip })
“`

## CWEs

* [CWE-943](https://cwe.mitre.org/data/definitions/943.html)

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

See for yourself – run a scan on your code right now