Written by Pete Corey on Apr 6, 2015.

Since Meteor only supports the fantastic MongoDB, we no longer have to worry about the ever present threat of SQL injection. Gone are the days of query parameters and ORMs. Right? Wrong!

While not as well-known or potentially as dangerous as SQL injection, as MongoDB developers, we still need to be ever vigilant against NoSQL injection.

SQL injection usually occurs when SQL query strings are constructed by concatenating or directly inserting unescaped user input into the query. This gives the malicious user (mostly) free reign to modify the command however they see fit, or potentially run additional commands against your database.

MongoDB queries take the form of JSON/BSON objects, not strings. We should be safe from injection, right? To an extent, yes. But let’s take a look at a very simple example. Suppose we have a Meteor publication that takes an argument and passes that argument through to a Collection query:

Meteor.publish('injectMe', function(foo) {
    return SensitiveDocuments.find({
        foo: foo
    });
});

Let’s say the client subscribes to this publication and passes in some piece of user information (foo). Ideally, only the sensitive documents related to that user’s foo will be returned by the subscription.

In this case, foo is intended to be a string. But what happens if a malicious client opens their browser console and makes this subscription:

Meteor.subscribe('injectMe', {$gte: ''});

Suddenly, all of the sensitive documents for every user will be served to the malicious user. All of the sensitive documents in the database will have a value of foo that is ordinally greater than or equal to an empty string.

To guard against this, always check each of your arguments:

Meteor.publish('injectMe', function(foo) {
    check(foo, String);
    return SensitiveDocuments.find({
        foo: foo
    });
});

This check will assert that foo is a String. If not, a Match.Error exception is thrown.

To ensure that every argument sent to your methods and publications is being checked, you can add the audit-argument-checks package to your project:

meteor add audit-argument-checks

While the consequences of this aren’t nearly as far reaching as those of SQL injection, it’s still something to be aware of when you’re developing your Meteor publications and methods.