Fix NoSQL Injection in Nitro

Nitro/h3 applications are often backed by NoSQL databases like MongoDB. The primary attack vector is Object Injection via `getQuery` or `readBody`. If an attacker sends a payload like `?id[$gt]=`, Nitro parses this as a nested object. Passing this directly to a database driver allows an attacker to bypass authentication or dump data using operators like `$ne`, `$gt`, or `$regex`.

The Vulnerable Pattern

export default defineEventHandler(async (event) => {
  const query = getQuery(event);
  // VULNERABLE: If query.username is { "$ne": null }, it bypasses logic
  const user = await db.collection('users').findOne({ username: query.username });
  return user;
});

The Secure Implementation

The fix involves strict input validation and type enforcement. By using `getValidatedQuery` (or `getValidatedBody`) with a schema validator like Zod, you ensure that the input is a primitive string rather than a potentially malicious object. If an attacker attempts to pass an object where a string is expected, the validator will throw an error, preventing the NoSQL operator from ever reaching the database driver. Always treat `getQuery` as an untrusted object factory.

import { z } from 'zod';
export default defineEventHandler(async (event) => {
// SECURE: Use getValidatedQuery to enforce string types and strip objects
const schema = z.object({
username: z.string().min(1)
});
const { username } = await getValidatedQuery(event, schema.parse);
const user = await db.collection(‘users’).findOne({ username });
return user;
});