Improper Neutralization of Special Elements in Data Query Logic (CWE-943)

Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

This covers injection attacks against NoSQL databases, ORM frameworks, and other data query mechanisms that differ from traditional SQL injection.

普及度

高

頻繁に悪用される

影響度

ハイ

3 件の重大度ハイのルール

予防

文書化済み

3 件の修正例

2 予防

この脆弱性の修正方法

3 件の Shoulder 検出ルールに基づく NoSQL Injection の予防策。

🐹 Go すべて表示 Go 詳細 →

NoSQL Injection HIGH

Use typed structs or explicit operators, validate all user input

+2 -1 go

  func findUser(w http.ResponseWriter, r *http.Request) {
      username := r.URL.Query().Get("username")
-     filter := bson.M{"username": username}
+     // Use explicit $eq to prevent operator injection
+     filter := bson.M{"username": bson.M{"$eq": username}}
      collection.FindOne(ctx, filter)
  }

🟨 JavaScript すべて表示 JavaScript 詳細 →

NoSQL Injection via MongoDB Queries HIGH

Validate input types and sanitize MongoDB operators

+5 -3 javascript

- app.post('/login', async (req, res) => {
-   const { username, password } = req.body;
-   // Vulnerable: user can send { "$gt": "" } as password
+ const mongoSanitize = require('mongo-sanitize');
+ 
+ app.post('/login', async (req, res) => {
+   const username = mongoSanitize(req.body.username);
+   const password = mongoSanitize(req.body.password);
    const user = await User.findOne({ username, password });
    if (user) {
      res.json({ success: true });
    }
  });

🐍 Python すべて表示 Python 詳細 →

NoSQL Injection HIGH

Validate input types and use ObjectId for ID fields

+7 -2 python

  from flask import request
  from pymongo import MongoClient
  
  db = MongoClient().mydb
  
  @app.route('/login', methods=['POST'])
  def login():
      data = request.get_json()
-     # Vulnerable: entire dict from user
-     user = db.users.find_one(data)
+     # Safe: only use specific string fields
+     username = str(data.get('username', ''))
+     password = str(data.get('password', ''))
+     user = db.users.find_one({
+         'username': username,
+         'password': password
+     })
      return {'success': bool(user)}

3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのImproper Neutralization of Special Elements in Data Query Logicパターンをスキャンしましょう。 3 ルール.

ターミナル

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=943

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (3)

🐹 Go 1 rules

NoSQL Injection HIGH

Detects user input flowing to MongoDB or Redis queries without proper validation.

🟨 Javascript 1 rules

NoSQL Injection via MongoDB Queries HIGH

Detects user input flowing into NoSQL database queries without validation.

🔷 Typescript 1 rules

NoSQL Injection via MongoDB Queries HIGH

Detects user input flowing into NoSQL database queries without validation.

🐍 Python 1 rules

NoSQL Injection HIGH

Detects untrusted user input being used in NoSQL queries without proper validation.

4 警告サイン

コードレビューで注目すべき点

これらのパターンはImproper Neutralization of Special Elements in Data Query Logicの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠

user input flowing to MongoDB or Redis queries without proper validation go-nosql-injection

🟠

user input flowing into NoSQL database queries without validation javascript-nosql-injection

🟠

untrusted user input being used in NoSQL queries without proper validation python-nosql-injection

🔍

コードベースをスキャン: Improper Neutralization of Special Elements in Data Query Logic

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示