Can injection still be an issue if all the database operations are done through Mongoose?

Question

Learning the basics of MongoDB, I read that MongoDB is vulnerable to injection attacks out-of-the-box. In node, this can be prevented using the help of the module mongo-sanitize. So far, so good. Now let's add Mongoose to the equation.

If we are using Mongoose

• Do we still need to sanitize MongoDB inputs? Should we still use mongo-sanitize along with Mongoose?
• Does Mongoose offer any explicit injection protection at all, or does the protection come from enforcing types in schemas and models?

I remember reading that Mongoose can prevent injections to some extent, but I don't know the specifics, or if it is redundant to sanitize against Mongoose.

Answer 1

Like the article mentioned the problem arises when the users doesn't send a string like 'bergur' and 'myawesomepassword' but instead sends {"$ne": null} for usernames and passwords.

If you create a schema and define username and password as strings, then Mongoose will convert it to string and you avoid the problem.

Regarding the where injection, mongo-sanitize wouldn't help you there. The solution is simply not to ever use the $where operator

So to simply answer your question:

1. No you don't need to use mongo-sanitize
2. No explicit injection protection, the protection comes from schemas and models.