Improper Neutralization of Special Elements in Data Query Logic (CWE-943)

Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

This covers injection attacks against NoSQL databases, ORM frameworks, and other data query mechanisms that differ from traditional SQL injection.

Prevalence

High

Frequently exploited

Impact

High

3 high-severity rules

Prevention

Documented

3 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for NoSQL Injection based on 3 Shoulder detection rules.

🐹 Go View all Go details →

NoSQL Injection HIGH

Use typed structs or explicit operators, validate all user input

+2 -1 go

  func findUser(w http.ResponseWriter, r *http.Request) {
      username := r.URL.Query().Get("username")
-     filter := bson.M{"username": username}
+     // Use explicit $eq to prevent operator injection
+     filter := bson.M{"username": bson.M{"$eq": username}}
      collection.FindOne(ctx, filter)
  }

🟨 JavaScript View all JavaScript details →

NoSQL Injection via MongoDB Queries HIGH

Validate input types and sanitize MongoDB operators

+5 -3 javascript

- app.post('/login', async (req, res) => {
-   const { username, password } = req.body;
-   // Vulnerable: user can send { "$gt": "" } as password
+ const mongoSanitize = require('mongo-sanitize');
+ 
+ app.post('/login', async (req, res) => {
+   const username = mongoSanitize(req.body.username);
+   const password = mongoSanitize(req.body.password);
    const user = await User.findOne({ username, password });
    if (user) {
      res.json({ success: true });
    }
  });

🐍 Python View all Python details →

NoSQL Injection HIGH

Validate input types and use ObjectId for ID fields

+7 -2 python

  from flask import request
  from pymongo import MongoClient
  
  db = MongoClient().mydb
  
  @app.route('/login', methods=['POST'])
  def login():
      data = request.get_json()
-     # Vulnerable: entire dict from user
-     user = db.users.find_one(data)
+     # Safe: only use specific string fields
+     username = str(data.get('username', ''))
+     password = str(data.get('password', ''))
+     user = db.users.find_one({
+         'username': username,
+         'password': password
+     })
      return {'success': bool(user)}

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Improper Neutralization of Special Elements in Data Query Logic patterns. 3 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=943

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

🐹 Go 1 rules

NoSQL Injection HIGH

Detects user input flowing to MongoDB or Redis queries without proper validation.

🟨 Javascript 1 rules

NoSQL Injection via MongoDB Queries HIGH

Detects user input flowing into NoSQL database queries without validation.

🔷 Typescript 1 rules

NoSQL Injection via MongoDB Queries HIGH

Detects user input flowing into NoSQL database queries without validation.

🐍 Python 1 rules

NoSQL Injection HIGH

Detects untrusted user input being used in NoSQL queries without proper validation.

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Improper Neutralization of Special Elements in Data Query Logic vulnerabilities. Look for these during code reviews and security audits.

🟠

user input flowing to MongoDB or Redis queries without proper validation go-nosql-injection

🟠

user input flowing into NoSQL database queries without validation javascript-nosql-injection

🟠

untrusted user input being used in NoSQL queries without proper validation python-nosql-injection

🔍

Scan your codebase for Improper Neutralization of Special Elements in Data Query Logic

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules