Fix NoSQL Injection in Meteor

Meteor's tight integration with MongoDB creates a massive attack surface for NoSQL Injection if developers treat client-side input as trusted. By passing raw arguments into collection selectors, attackers can inject query operators like $gt, $ne, or $regex to bypass authentication, leak sensitive records, or perform blind data exfiltration. If you aren't enforcing strict schema validation on every Method and Subscription, your DB is an open book.

The Vulnerable Pattern

Meteor.methods({
  'orders.getPrivate': function(orderId) {
    // VULNERABLE: orderId is not type-checked.
    // Attacker sends: { "$ne": "" }
    // Result: Query becomes { _id: { $ne: "" } }, returning all orders.
    return Orders.find({ _id: orderId }).fetch();
  }
});

The Secure Implementation

The vulnerability stems from MongoDB's ability to interpret objects as query operators. When Meteor receives a JSON payload from the DDP wire, it doesn't automatically cast types. Using the 'check' package is the primary defense; it ensures the input is a literal (like a String or Number) rather than a nested object containing operators like $ne (not equal). Additionally, you should always include the 'audit-argument-checks' package to ensure no Method or Subscription is deployed without explicit validation.

import { check } from 'meteor/check';
Meteor.methods({
‘orders.getPrivate’: function(orderId) {
// SECURE: Enforce string type to prevent operator injection
check(orderId, String);
const order = Orders.findOne({ _id: orderId });

// Always verify ownership after fetching
if (order && order.ownerId !== this.userId) {
  throw new Meteor.Error('not-authorized');
}

return order;
}
});