Fix NoSQL Injection in RedwoodJS

RedwoodJS relies on Prisma, but when paired with MongoDB, it's vulnerable to NoSQL injection if you're lazy with input handling. Attackers can inject query operators like $gt, $ne, or $where by passing objects instead of scalars through GraphQL. This bypasses authentication or dumps the entire collection.

The Vulnerable Pattern

// api/src/services/users/users.js
export const users = ({ filter }) => {
  // CRITICAL: Directly passing a user-controlled object into the Prisma 'where' clause.
  // If filter is { "email": { "$ne": "" } }, the attacker retrieves all users.
  return db.user.findMany({
    where: filter
  })
}

The Secure Implementation

The exploit occurs because MongoDB drivers interpret nested objects as query commands. In RedwoodJS, if your GraphQL schema defines an input as a JSON type or if you fail to validate that an input is a primitive string/number, an attacker can send a JSON object containing operators. To remediate: 1. Avoid using 'JSON' or 'JSONObject' types in your SDL for query filters. 2. Explicitly map incoming arguments to Prisma filter fields. 3. Use Zod or Redwood's built-in 'validate' to ensure inputs are scalars, effectively neutralizing operator injection.

// api/src/services/users/users.js
import { validate } from '@redwoodjs/api'
export const users = ({ email }) => {
// SECURE: Enforce scalar types and explicit mapping.
// This prevents the injection of MongoDB query objects.
validate(email, ‘Email’, { presence: true, string: true })
return db.user.findMany({
where: {
email: {
equals: String(email)
}
}
})
}