Fix NoSQL Injection in Camping
Camping is a micro-framework for Ruby, but its lightweight nature doesn't protect you from NoSQL injection if you're using Mongoid or similar adapters. The vulnerability stems from the framework's handling of query parameters: when an attacker passes a nested hash instead of a scalar value, they can inject MongoDB operators like $gt, $ne, or $regex to bypass logic or exfiltrate data.
The Vulnerable Pattern
module Blog::Controllers
class Post < R '/post/(.*)'
def get(id)
# VULNERABLE: Direct injection via input hash
# Attacker sends: /post/1?slug[$ne]=null
@post = Post.find_by(slug: input.slug)
render :view
end
end
endThe Secure Implementation
The exploit occurs because Ruby's Rack-based parameter parsing converts 'slug[$ne]=null' into a nested Hash: {'slug' => {'$ne' => nil}}. When this Hash is passed directly to the database driver, the driver interprets '$ne' as a NoSQL operator. To fix this, you must enforce type safety. Casting the input to a string using '.to_s' ensures that even if a hash is provided, it is treated as a literal string value, effectively stripping the malicious operator's functionality.
module Blog::Controllers class Post < R '/post/(.*)' def get(id) # SECURE: Explicit type casting to String # This neutralizes hash-based operator injection slug_param = input.slug.to_s @post = Post.find_by(slug: slug_param)# ALTERNATIVE: Use strict schema validation if using Mongoid # @post = Post.where(slug: { '$eq' => slug_param }).first render :view end
end end
Your Camping API
might be exposed to NoSQL Injection
74% of Camping apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.