Database query built from user-controlled sources

[celeroncoder]

Description

Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.
If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.

Instances

• src/users/users.service.ts
  
• src/notes/notes.service.ts
  

Expected behaviour

Database Query must be sanitized before being passed.

References

1. Wikipedia: SQL injection.
2. MongoDB: $eq operator.
3. Common Weakness Enumeration: CWE-89.

[celeroncoder]

Recommendation

For NoSQL queries, make use of an operator like MongoDB's $eq to ensure that untrusted data is interpreted as a literal value and not as a query object.