Server Side Template Injection in Loopback with Mongodb

Server Side Template Injection (SSTI) occurs when user-controlled data is passed into a template function that evaluates expressions, enabling execution of unintended code. Loopback, a Node.js framework, often renders dynamic content using template engines or constructs query objects programmatically. When these patterns involve direct interpolation of request parameters into MongoDB query objects or aggregation pipelines, the risk of injection rises.

Consider a Loopback controller that builds a find query from a URL query parameter without validation:

app.models.user.find({ where: { role: ctx.query.role } });

If the where object is constructed by a template engine that evaluates expressions (e.g., using lodash.template or similar), an attacker could submit a payload such as ?role={{return process}}. Depending on how the template function resolves this, it may expose global objects or enable code execution. The resulting MongoDB query may become malformed or overly permissive, bypassing intended filters.

SSTI can also manifest in aggregation pipelines. An attacker might inject a stage that alters pipeline behavior or leaks information:

app.models.user.aggregate([{ $match: { status: '{{status}}' } }]);

If the injection modifies pipeline logic, it can change the scope of data returned or trigger errors that reveal stack traces or environment details. Because MongoDB supports complex query syntax, injection can lead to unintended match conditions or exposure of sensitive fields.

In Loopback applications, improper use of dynamic schema or model definitions can further amplify SSTI. For example, using user input to reference model names or datasource names may route queries to unintended backends. Because MongoDB is the persistence layer, injection here does not directly modify the database schema, but it can change which collections are queried or how filters are applied, leading to data leakage or privilege escalation.

middleBrick detects such patterns during black-box scanning by analyzing unauthentinated attack surfaces and identifying unsafe data flows into MongoDB-related operations. Findings include severity, contextual remediation guidance, and mapping to frameworks such as OWASP API Top 10 and common weaknesses in API handling.

Remediation focuses on strict input validation, avoiding dynamic template evaluation, and constructing MongoDB queries programmatically rather than through string interpolation.

• Use Loopback's built-in filter validation: define filter as a strict object and avoid passing raw user input into template strings.
• Whitelist allowed fields and values for queries, especially for roles, status, or sort parameters.
• Do not construct aggregation pipelines using string-based templates; build stages as plain JavaScript objects.

Secure example using a parameterized query object:

const allowedRoles = ['admin', 'user', 'guest'];
const role = ctx.query.role;
if (!allowedRoles.includes(role)) {
  throw new Error('Invalid role');
}
const filter = { where: { role: role } };
const users = await app.models.user.find(filter);

Secure aggregation without template interpolation:

const allowedStatuses = ['active', 'inactive'];
const status = ctx.query.status;
if (!allowedStatuses.includes(status)) {
  throw new Error('Invalid status');
}
const cursor = app.models.user.aggregate([
  { $match: { status: status } }
]);
const results = await cursor.toArray();

If you must render templates for UI purposes, use a sandboxed context and disable evaluation of arbitrary code. For example, with a safe templating library:

import { compile } from 'some-safe-template';
const template = compile('User role: {{role}}');
const html = template({ role: sanitize(role) });

middleBrick's Pro plan supports continuous monitoring and CI/CD integration via GitHub Action, which can enforce these patterns by failing builds when unsafe template usage is detected in API definitions.

For teams needing deeper visibility, the Dashboard tracks API security scores over time and provides per-category breakdowns, helping prioritize fixes for MongoDB-related endpoints.