Security Misconfiguration in Feathersjs with Mongodb
Security Misconfiguration in Feathersjs with Mongodb — how this specific combination creates or exposes the vulnerability
FeathersJS is a framework for creating JavaScript APIs with services centered around data. When paired with MongoDB, misconfigurations commonly expose the unauthenticated attack surface in ways that amplify typical CRUD risks. A service may inadvertently allow client-side queries that traverse references or return entire documents, especially when the service schema is loosely defined and $select or $expand-like projections are not explicitly restricted. If service hooks do not enforce authorization checks or if they apply only to specific methods while leaving find/access open, an attacker can enumerate or read records they should not see. This becomes more severe when MongoDB connection strings or internal topology details are exposed through error messages returned to the client.
Another common misconfiguration is binding user-supplied query parameters directly to MongoDB filter objects without validation or sanitization. For example, a client might send arbitrary JSON that becomes part of the MongoDB query, enabling unintended filtering, field selection, or even injection-style behavior when operators are interpreted from request input. If the service allows $where or other powerful MongoDB operators without constraint, an attacker can leverage these to infer data or perform unauthorized operations. In addition, missing or improperly configured CORS rules can allow cross-origin requests from untrusted origins, letting an authenticated context be abused across domains.
With middleBrick scanning such an API, it checks the unauthenticated attack surface and flags findings like BOLA/IDOR when object-level permissions are missing, and Property Authorization when fields are returned without proper scoping. The scanner also surfaces Data Exposure when responses include sensitive fields due to projection misconfigurations, and Unsafe Consumption when untrusted input shapes are passed into MongoDB pipelines without schema validation. These checks align with OWASP API Top 10 categories such as Broken Object Level Authorization and Excessive Data Exposure, which are especially relevant when FeathersJS services rely on MongoDB as the backend store.
Mongodb-Specific Remediation in Feathersjs — concrete code fixes
To harden a FeathersJS service using MongoDB, explicitly define the fields a client may query and project. Use a whitelist of allowed fields in the service configuration so that $select-like behavior is constrained. For example, in your service definition you can set paginate and field restrictions that limit what is returned from find and get.
// src/services/notes/notes.class.js
const { Service } = require('feathers-mongoose');
class CustomNotesService extends Service {
async find(params) {
// Ensure the query does not allow arbitrary field selection
if (params.query && params.query.$select) {
delete params.query.$select;
}
return super.find(params);
}
}
module.exports = function (app) {
const options = {
name: 'notes',
Model: app.get('mongoose').models.Notes,
paginate: {
default: 10,
max: 25
}
};
app.use('/notes', new CustomNotesService(options));
};In your Mongoose schema, explicitly mark sensitive fields and ensure they are never returned by default. Combine this with a global toObject transform that removes marked fields unless explicitly requested for internal use.
// src/models/note.model.js
const mongoose = require('mongoose');
const noteSchema = new mongoose.Schema({
title: { type: String, required: true },
content: { type: String, required: true },
ownerId: { type: mongoose.Schema.Types.ObjectId, required: true },
isInternal: { type: Boolean, default: false }
}, {
toObject: { getters: true, transform: (doc, ret) => { delete ret.isInternal; return ret; } }
});
// Ensure sensitive fields are hidden unless explicitly populated
noteSchema.methods.toJSON = function() {
const obj = this.toObject();
delete obj.isInternal;
return obj;
};
module.exports = mongoose.model('Note', noteSchema);Apply strict query sanitization in service hooks so that user input cannot introduce MongoDB operators that lead to unintended behavior. Validate and normalize query parameters before they reach the model layer.
// src/hooks/query-sanitize.hook.js
module.exports = function sanitizeQuery() {
return function (hook) {
if (hook.params.query) {
const disallowed = ['$where', '$eval', '$function'];
disallowed.forEach(op => { delete hook.params.query[op]; });
// Remove any operator-like keys introduced by user input
Object.keys(hook.params.query).forEach(key => {
if (key.startsWith('$') && !['$in', '$eq', '$ne', '$gt', '$lt', '$gte', '$lte'].includes(key)) {
delete hook.params.query[key];
}
});
}
return hook;
};
};Use consistent ownership checks within service methods or hooks to enforce BOLA/IDOR protections. Even when using MongoDB’s flexible document model, ensure that find, get, update, and remove operations filter by the authenticated subject’s scope.
// src/hooks/ownership.hook.js
module.exports = function ownershipHook() {
return async (hook) => {
if (hook.params.user) {
const userId = hook.params.user._id;
if (Array.isArray(hook.result)) {
hook.result.data = hook.result.data.filter(item => String(item.ownerId) === String(userId));
hook.result.total = hook.result.data.length;
} else if (hook.result && hook.result.ownerId && String(hook.result.ownerId) !== String(userId)) {
throw new Error('Forbidden');
}
// For get/update/remove, ensure query includes ownership
if (hook.id !== undefined) {
hook.params.query = hook.params.query || {};
hook.params.query.ownerId = userId;
}
}
return hook;
};
};Finally, configure your MongoDB connection to avoid leaking internal details in errors and ensure TLS is enforced. middleBrick will highlight Encryption and Data Exposure findings if credentials or schema details appear in responses, so validate that error handling does not expose stack traces or connection strings.