0

I have a Meteor application and we run many simple search queries and I was wondering if there's a way a hacker would be able to exploit them. And, what's the best way to ensure a clean input? We use a Meteor package called check which throws an error if the provided argument isn't a String. But, lots of articles recommend mongo-sanitize!

check(search, String);

Location.find(
    {
      $text: {
        $search: search
      }
    });

To sum it up, A) Is check enough? or Should it be replaced/coupled with mongo-sanitize? B) If it's vulnerable to such attacks, could you please provide a simple example? Thanks!

Harry Adel
  • 1,238
  • 11
  • 16
  • Probably best to stop reading the packages and articles and read the existing answers instead. MongoDB cannot have "injected code" in the same way SQL databases are prone to, with the exception of actually allowing things to run as a BSON command directly. You cannot inject anything nefarious into a `find()`. Passing in raw queries even with accepted operators is really not advised ( not because it's dangerous, but it's just bad design ), and none of this at all ever applies to a string argument to `$text`. – Neil Lunn Oct 26 '19 at 09:35
  • I see, thanks @NeilLunn. – Harry Adel Oct 26 '19 at 11:56

0 Answers0