GuardAPI Logo
GuardAPI

Fix NoSQL Injection in CherryPy

CherryPy apps often fall victim to NoSQL injection when developers blindly trust JSON payloads from 'cherrypy.request.json'. In a typical MongoDB/PyMongo setup, passing a raw dictionary into a 'find_one' or 'update' call allows an attacker to inject operators like '$gt', '$ne', or '$regex'. This can lead to authentication bypass, data exfiltration, or DoS. To kill this bug, you must enforce strict type checking and schema validation.

The Vulnerable Pattern

import cherrypy
from pymongo import MongoClient

client = MongoClient(‘mongodb://localhost:27017/’)
db = client.prod_db


class API:
@cherrypy.expose
@cherrypy.tools.json_in()
def login(self):
# VULNERABLE: If input is {“user”: “admin”, “pass”: {“$ne”: ""}}, auth is bypassed.
input_data = cherrypy.request.json
user = db.users.find_one({
“username”: input_data.get(‘user’),
“password”: input_data.get(‘pass’)
})
return “Success” if user else “Fail”

The Secure Implementation

The vulnerability exists because MongoDB queries are structured as JSON objects. When PyMongo receives a dictionary instead of a string, it interprets keys starting with '$' as query operators. The fix involves ensuring that user-supplied values are strictly treated as scalars (strings/numbers). By wrapping input in 'str()', any nested dictionary (the injection vector) is converted into a literal string representation, rendering the '$ne' or '$regex' operators inert. For complex apps, use a schema library like Marshmallow to validate input structure before it hits the database layer.

import cherrypy
from pymongo import MongoClient

client = MongoClient(‘mongodb://localhost:27017/’)
db = client.prod_db


class API:
@cherrypy.expose
@cherrypy.tools.json_in()
def login(self):
data = cherrypy.request.json


    # SECURE: Explicitly cast to string to neutralize NoSQL operators
    username = str(data.get('user', ''))
    password = str(data.get('pass', ''))

    user = db.users.find_one({
        "username": username,
        "password": password
    })
    return "Success" if user else "Fail"</code></pre>
System Alert • ID: 9968
Target: CherryPy API
Potential Vulnerability

Your CherryPy API might be exposed to NoSQL Injection

74% of CherryPy apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X