Skip to content

[BUG] Secure API Routes against NoSQL Query Injection Attacks #576

Description

@knoxiboy

Problem Statement

The backend uses raw query parameters like req.body directly in Mongoose queries without sanitization. This exposes the app to NoSQL injection attacks where attackers pass objects (e.g., {"$ne": null}) to bypass auth checks or query private chats of other users.

Proposed Solution

  1. Install express-mongo-sanitize in the backend.
  2. Register the middleware in backend/src/index.js to automatically sanitize keys starting with $ or containing ..
  3. Audit all database parameters in message.controller.js and auth.controller.js to ensure variables are strictly cast or verified.

Alternatives Considered

Writing manual sanitizers for every endpoint, which is highly error-prone and hard to maintain.

Additional Context

Level: Critical
Affected Files: backend/src/index.js, backend/package.json

Can you please assign this issue to me? I would like to work on this.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions