Improper Neutralization of Special Elements in Data Query Logic (CWE-943)

Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

This covers injection attacks against NoSQL databases, ORM frameworks, and other data query mechanisms that differ from traditional SQL injection.

普遍性

高

频繁被利用

影响

高

3 条严重级别为高的规则

预防

已记录

3 个修复示例

2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 NoSQL Injection 预防策略。

🐹 Go 查看全部 Go 详情 →

NoSQL Injection HIGH

Use typed structs or explicit operators, validate all user input

+2 -1 go

  func findUser(w http.ResponseWriter, r *http.Request) {
      username := r.URL.Query().Get("username")
-     filter := bson.M{"username": username}
+     // Use explicit $eq to prevent operator injection
+     filter := bson.M{"username": bson.M{"$eq": username}}
      collection.FindOne(ctx, filter)
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

NoSQL Injection via MongoDB Queries HIGH

Validate input types and sanitize MongoDB operators

+5 -3 javascript

- app.post('/login', async (req, res) => {
-   const { username, password } = req.body;
-   // Vulnerable: user can send { "$gt": "" } as password
+ const mongoSanitize = require('mongo-sanitize');
+ 
+ app.post('/login', async (req, res) => {
+   const username = mongoSanitize(req.body.username);
+   const password = mongoSanitize(req.body.password);
    const user = await User.findOne({ username, password });
    if (user) {
      res.json({ success: true });
    }
  });

🐍 Python 查看全部 Python 详情 →

NoSQL Injection HIGH

Validate input types and use ObjectId for ID fields

+7 -2 python

  from flask import request
  from pymongo import MongoClient
  
  db = MongoClient().mydb
  
  @app.route('/login', methods=['POST'])
  def login():
      data = request.get_json()
-     # Vulnerable: entire dict from user
-     user = db.users.find_one(data)
+     # Safe: only use specific string fields
+     username = str(data.get('username', ''))
+     password = str(data.get('password', ''))
+     user = db.users.find_one({
+         'username': username,
+         'password': password
+     })
      return {'success': bool(user)}

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Improper Neutralization of Special Elements in Data Query Logic模式。 3 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=943

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

🐹 Go 1 rules

NoSQL Injection HIGH

Detects user input flowing to MongoDB or Redis queries without proper validation.

🟨 Javascript 1 rules

NoSQL Injection via MongoDB Queries HIGH

Detects user input flowing into NoSQL database queries without validation.

🔷 Typescript 1 rules

NoSQL Injection via MongoDB Queries HIGH

Detects user input flowing into NoSQL database queries without validation.

🐍 Python 1 rules

NoSQL Injection HIGH

Detects untrusted user input being used in NoSQL queries without proper validation.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Improper Neutralization of Special Elements in Data Query Logic漏洞。在代码审查和安全审计中注意查找。

🟠

user input flowing to MongoDB or Redis queries without proper validation go-nosql-injection

🟠

user input flowing into NoSQL database queries without validation javascript-nosql-injection

🟠

untrusted user input being used in NoSQL queries without proper validation python-nosql-injection

🔍

扫描你的代码库: Improper Neutralization of Special Elements in Data Query Logic

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则