Fix NoSQL Injection in Quarkus

Quarkus applications utilizing MongoDB via Panache or the native driver are vulnerable to NoSQL Injection when user-controlled input is concatenated directly into query strings. Attackers can inject operators like '$gt', '$ne', or '$where' to bypass authentication, leak sensitive records, or cause Denial of Service. To secure the stack, you must move away from raw string manipulation and leverage Panache's built-in parameter binding or the MongoDB Filters API.

The Vulnerable Pattern

@GET
@Path("/users")
public List findUser(@QueryParam("name") String name) {
    // CRITICAL VULNERABILITY: Raw JSON string concatenation
    // An attacker can pass: ?name=admin' , 'password': { '$ne': '1' }
    String query = "{ 'username': '" + name + "' }";
    return User.find(query).list();
}

The Secure Implementation

The vulnerable code constructs a BSON query by concatenating strings, allowing an attacker to break out of the 'username' field and inject additional criteria or operators. This is functionally equivalent to SQL injection. The secure implementation uses Panache's query engine, which automatically handles parameterization. By passing the field name and value as separate arguments, the underlying MongoDB driver ensures the input is escaped and treated as a UTF-8 string literal, neutralizing any embedded '$' operators or nested JSON structures.

@GET
@Path("/users")
public List findUser(@QueryParam("name") String name) {
    // SECURE: Panache parameter binding
    // The engine treats the input as a literal value, not a query operator
    return User.find("username", name).list();
// ALTERNATIVE (Native Driver):
// return collection.find(Filters.eq("username", name));
}