Fix NoSQL Injection in Blitz.js

NoSQL Injection in Blitz.js occurs when untrusted input is piped directly into database filters, particularly when using MongoDB as the backing store. Attackers can bypass authentication or dump data by injecting query operators like $gt, $ne, or $regex. In Blitz, this usually happens in queries or mutations where the 'args' object is spread directly into a Prisma or Mongoose find call without strict schema enforcement.

The Vulnerable Pattern

import db from 'db'
export default async function getUser(args: any) {
// VULNERABLE: Attacker can send { “id”: { “$ne”: null } } to bypass logic
const user = await db.user.findFirst({
where: args
})
return user
}

The Secure Implementation

The fix leverages Blitz's built-in Zod integration. By wrapping the resolver in 'resolver.pipe' and 'resolver.zod', we force the input to match a strict schema. This strips out any malicious objects or operators (like $ne) that an attacker might try to inject via JSON. Instead of spreading a raw 'args' object, we explicitly destructure validated primitives into the query filter, ensuring the database driver treats the input as a literal value rather than a query instruction.

import { resolver } from '@blitzjs/rpc'
import db from 'db'
import { z } from 'zod'
const GetUserSchema = z.object({
id: z.string(),
})
export default resolver.pipe(
resolver.zod(GetUserSchema),
async ({ id }) => {
// SECURE: Input is validated and flattened to a primitive string
const user = await db.user.findFirst({
where: { id }
})
if (!user) throw new Error(‘Not found’)
return user
}
)