Описание
NoSQL Injection in loopback-connector-mongodb
Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection.
MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).
A proof of concept malicious query:
GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}
The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello.
Recommendation
Update to version 3.6.0 or later.
Ссылки
- https://github.com/strongloop/loopback-connector-mongodb/issues/403
- https://github.com/strongloop/loopback-connector-mongodb/pull/452
- https://github.com/strongloop/loopback-connector-mongodb/commit/ee24cd08b8ccc32711264831c71b1da628df357b
- https://loopback.io/doc/en/lb3/Security-advisory-08-15-2018.html
- https://www.npmjs.com/advisories/696
Пакеты
Наименование
loopback-connector-mongodb
npm
Затронутые версииВерсия исправления
< 3.6.0
3.6.0
Дефекты
CWE-89
Дефекты
CWE-89