# NoSQL Injection

- ID: go-nosql-injection
- Severity: HIGH
- CWE: NoSQL Injection (CWE-943)
- Languages: Go
- Frameworks: stdlib, gin, echo, fiber, chi

## Description

Detects user input flowing to MongoDB or Redis queries without proper validation.

## Detection Message

Untrusted input from {source} reaches NoSQL query at:
   Code: {sink_code}
This allows an attacker to manipulate database queries and access unauthorized data.

## Remediation

Use typed structs or explicit $eq operators for MongoDB, validate Redis keys with regex.

```go
filter := bson.M{"username": bson.M{"$eq": username}}
```

Learn more: https://shoulder.dev/learn/go/cwe-943/nosql-injection

## Documentation

[object Object]

## Related Rules

- **NoSQL Injection via MongoDB Queries** [HIGH]: 
- **NoSQL Injection** [HIGH]: