Fix NoSQL Injection in Dropwizard

Dropwizard applications frequently leverage MongoDB for persistence. A common, critical failure occurs when developers treat NoSQL queries as raw strings. By concatenating user-supplied input directly into query objects or using 'BasicDBObject.parse()', you allow attackers to inject MongoDB operators like '$gt', '$ne', or '$where', leading to authentication bypass or full data exfiltration.

The Vulnerable Pattern

@GET
@Path("/{username}")
public Response getUser(@PathParam("username") String username) {
    // VULNERABLE: Input is parsed directly into a query object
    // Attacker can pass: {"$ne": null} to dump all users
    String jsonQuery = "{ 'username': '" + username + "' }";
    Document user = collection.find(BasicDBObject.parse(jsonQuery)).first();
    return Response.ok(user).build();
}

The Secure Implementation

The fix eliminates the use of 'BasicDBObject.parse()' and string concatenation. By using the 'Filters' helper classes provided by the MongoDB Java driver, the input is strictly typed and handled as a parameter rather than part of the query command structure. This prevents 'Operator Injection' because characters like '$' or nested objects in the input are no longer interpreted as query logic, but as literal string data.

@GET
@Path("/{username}")
public Response getUser(@PathParam("username") String username) {
    // SECURE: Use the MongoDB Filters API
    // This treats input as a literal value, preventing operator injection
    Document user = collection.find(Filters.eq("username", username)).first();
if (user == null) {
    throw new WebApplicationException(Status.NOT_FOUND);
}
return Response.ok(user).build();
}