GuardAPI Logo
GuardAPI

Fix NoSQL Injection in Iris

NoSQL Injection in Go's Iris framework typically occurs when user-supplied JSON is unmarshaled into a generic map or interface and then passed directly to a database driver like mongo-go-driver. Attackers exploit this by injecting operator objects (e.g., {"$gt": ""}) to bypass authentication or exfiltrate data. To fix this, you must enforce strict typing using Go structs.

The Vulnerable Pattern

func LoginHandler(ctx iris.Context) {
    // VULNERABLE: Using map[string]interface{} allows nested objects/operators
    var input map[string]interface{}
    if err := ctx.ReadJSON(&input); err != nil {
        ctx.StopWithStatus(iris.StatusBadRequest)
        return
    }

// If attacker sends {"user": {"$ne": null}}, this query returns the first user in DB
filter := bson.M{"username": input["user"], "password": input["pass"]}
err := collection.FindOne(context.TODO(), filter).Decode(&user)


}

The Secure Implementation

The vulnerability lies in the dynamic nature of map[string]interface{}. When Iris unmarshals JSON into this map, it preserves nested objects. An attacker can provide a JSON object where the 'user' field is actually another object containing MongoDB operators like $ne (not equal) or $gt (greater than). By switching to a strictly typed struct (LoginRequest), the Go JSON unmarshaler will throw an error if the user tries to pass an object where a string is expected, effectively neutralizing the NoSQL operator injection.

type LoginRequest struct {
    Username string `json:"user"` // Enforces string type
    Password string `json:"pass"` // Enforces string type
}

func LoginHandler(ctx iris.Context) {
var req LoginRequest
// SECURE: ReadJSON into a struct prevents operator injection
if err := ctx.ReadJSON(&req); err != nil {
ctx.StopWithStatus(iris.StatusBadRequest)
return
}


// Input is now guaranteed to be literal strings
filter := bson.M{"username": req.Username, "password": req.Password}
err := collection.FindOne(context.TODO(), filter).Decode(&user)


}

System Alert • ID: 6298
Target: Iris API
Potential Vulnerability

Your Iris API might be exposed to NoSQL Injection

74% of Iris apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X