Nosql Injection in Chi

Nosql injection in Chi manifests when untrusted user input is directly interpolated into MongoDB queries without proper sanitization. Unlike SQL injection, NoSQL injection exploits the dynamic nature of JavaScript objects and query operators in MongoDB's query language.

Consider this Chi route handler that's vulnerable to NoSQL injection:

app.post('/api/users', async (req, res) => {
  const { username, password } = req.body;
  
  // Vulnerable: direct interpolation of user input
  const user = await db.collection('users').findOne({
    $and: [
      { username: username },
      { password: password }
    ]
  });
  
  if (user) {
    res.json({ success: true });
  } else {
    res.status(401).json({ error: 'Invalid credentials' });
  }
});

An attacker can exploit this by sending a JSON payload with special MongoDB operators:

{
  "username": { "$ne": null },
  "password": { "$ne": null }
}

This payload bypasses authentication by using the $ne (not equal) operator to match any user record where username and password are not null. The query effectively becomes:

{ $and: [ { username: { $ne: null } }, { password: { $ne: null } } ] }

Another common pattern in Chi applications is using URL parameters directly in queries:

app.get('/api/users/:id', async (req, res) => {
  const userId = req.params.id;
  
  // Vulnerable: no validation of userId format
  const user = await db.collection('users').findOne({ _id: userId });
  res.json(user);
});

If the _id field is an ObjectId, an attacker can send a specially crafted string that manipulates the query logic, potentially accessing other users' data or causing application errors.

Detecting NoSQL injection in Chi applications requires both static analysis and runtime scanning. middleBrick's black-box scanning approach is particularly effective because it tests the actual running application without needing source code access.

middleBrick scans for NoSQL injection by sending crafted payloads to your Chi endpoints and analyzing responses. The scanner tests for common MongoDB injection patterns including:

• Logical operator injection ($ne, $gt, $lt, $regex)
• Projection manipulation ($slice, $elemMatch)
• Query operator abuse ($where, $expr)
• Object injection and type confusion

For Chi applications, middleBrick's API security scan includes these specific NoSQL injection tests:

$ middlebrick scan https://your-chiapp.com/api/users

Scan Results (5/12 checks passed)

✅ Authentication: A
✅ Rate Limiting: B
✅ Data Exposure: C
⚠️ NoSQL Injection: D
✅ Encryption: A

Findings:
[CRITICAL] NoSQL Injection - Authentication Bypass
  Severity: Critical
  Path: POST /api/users
  Payload: { "username": { "$ne": null }, "password": { "$ne": null } }
  Impact: Authentication bypass, data exposure
  Remediation: Use parameterized queries, validate input types

middleBrick's continuous monitoring feature (Pro plan) can automatically re-scan your Chi APIs on a schedule, alerting you if new vulnerabilities are introduced during development.

Remediating NoSQL injection in Chi applications involves input validation, parameterized queries, and proper type handling. Here are Chi-specific fixes for common vulnerabilities:

1. Input Validation and Sanitization

const { celebrate, Joi } = require('celebrate');

// Validate request body before it reaches your route handler
app.post('/api/users', celebrate({
  body: Joi.object().keys({
    username: Joi.string().alphanum().min(3).max(30).required(),
    password: Joi.string().min(8).required()
  })
}), async (req, res) => {
  const { username, password } = req.body;
  
  // Safe: validated input, no special characters allowed
  const user = await db.collection('users').findOne({
    $and: [
      { username: username },
      { password: password }
    ]
  });
  
  res.json({ success: user ? true : false });
});

2. Type-Safe Query Construction

const { Types } = require('mongoose'); // or use native MongoDB driver

app.get('/api/users/:id', async (req, res) => {
  const userId = req.params.id;
  
  // Validate ObjectId format before using it in query
  if (!Types.ObjectId.isValid(userId)) {
    return res.status(400).json({ error: 'Invalid user ID format' });
  }
  
  const user = await db.collection('users').findOne({ 
    _id: new Types.ObjectId(userId) 
  });
  
  res.json(user);
});

3. Parameterized Query Pattern

app.post('/api/search', async (req, res) => {
  const { field, value } = req.body;
  
  // Whitelist allowed fields and operators
  const allowedFields = ['username', 'email', 'status'];
  const allowedOperators = ['$eq', '$ne', '$gt', '$lt'];
  
  if (!allowedFields.includes(field)) {
    return res.status(400).json({ error: 'Invalid search field' });
  }
  
  // Construct query safely
  const query = {};
  query[field] = { $eq: value }; // or use $ne, etc. based on input
  
  const results = await db.collection('users').find(query).toArray();
  res.json(results);
});

4. Using Mongoose with Schema Validation

const mongoose = require('mongoose');

const userSchema = new mongoose.Schema({
  username: { 
    type: String, 
    required: true,
    validate: {
      validator: (v) => /^[a-zA-Z0-9_]+$/.test(v),
      message: 'Invalid username format'
    }
  },
  password: { type: String, required: true }
});

const User = mongoose.model('User', userSchema);

app.post('/api/users', async (req, res) => {
  try {
    const user = new User(req.body);
    await user.save();
    res.json({ success: true });
  } catch (err) {
    res.status(400).json({ error: err.message });
  }
});

These patterns ensure that user input cannot manipulate the query structure, effectively preventing NoSQL injection attacks in your Chi applications.