Fix NoSQL Injection in Django

NoSQL Injection in Django typically manifests when using NoSQL backends like MongoDB (via Djongo or MongoEngine) and passing unvalidated user-controlled dictionaries directly into query methods. Attackers leverage NoSQL operators to bypass authentication or extract sensitive data by manipulating query logic.

The Vulnerable Pattern

from django.http import JsonResponse
from .models import User
def insecure_search(request):
# CRITICAL: Unpacking raw POST data directly into the filter
# An attacker can send {‘username’: {‘$ne’: None}} to bypass checks
query_params = request.POST.dict()
user = User.objects.filter(**query_params).first()
if user:
return JsonResponse({‘status’: ‘authenticated’})
return JsonResponse({‘status’: ‘failed’})

The Secure Implementation

The vulnerability occurs when the application treats user-supplied input as query operators rather than literal data. In NoSQL, special keys like '$gt', '$ne', or '$regex' change the query behavior. By unpacking a dictionary directly into the ORM filter (e.g., **request.POST), an attacker can inject these operators. The fix is to strictly define the expected keys, cast them to the appropriate data types (e.g., string, integer), and pass them as explicit keyword arguments to the filter method, ensuring the NoSQL driver treats them as literal search values.

from django.http import JsonResponse
from .models import User
def secure_search(request):
# SECURE: Explicitly extract and cast expected fields
# This prevents operator injection by treating input as literal values
username = str(request.POST.get(‘username’, ”))
password = str(request.POST.get(‘password’, ”))
user = User.objects.filter(username=username, password=password).first()
if user:
    return JsonResponse({'status': 'authenticated'})
return JsonResponse({'status': 'failed'})</code></pre>