GMS-2019-37: NoSQL Injection in loopback-connector-mongodb
(updated )
Versions of loopback-connector-mongodb are vulnerable to NoSQL injection.
MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).
A proof of concept malicious query:
GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}
The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello.
Update to or later.
References
- github.com/advisories/GHSA-m734-r4g6-34f9
- github.com/strongloop/loopback-connector-mongodb/commit/ee24cd08b8ccc32711264831c71b1da628df357b
- github.com/strongloop/loopback-connector-mongodb/issues/403
- github.com/strongloop/loopback-connector-mongodb/pull/452
- loopback.io/doc/en/lb3/Security-advisory-08-15-2018.html
- www.npmjs.com/advisories/696
Code Behaviors & Features
Detect and mitigate GMS-2019-37 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →