Fix NoSQL Injection in Warp

NoSQL Injection in Warp typically manifests when raw user input is fed directly into MongoDB filter documents without strict type enforcement. In Rust, the flexibility of `serde_json::Value` is a double-edged sword; if you allow a body to be parsed as an arbitrary Map, an attacker can swap a string literal for a query operator like `{"$ne": null}`, bypassing authentication or leaking data. To kill this bug, you must enforce strong typing at the boundary.

The Vulnerable Pattern

use warp::Filter;
use mongodb::bson::doc;
// VULNERABLE: Accepting raw serde_json::Value allows operator injection
let route = warp::post()
.and(warp::path(“user”))
.and(warp::body::json())
.map(|body: serde_json::Value| {
// Attacker sends: {“username”: {“$gt”: ""}}
// Resulting filter: { “username”: { “$gt”: "" } } (Returns all users)
let filter = doc! { “username”: body[“username”].clone() };
execute_query(filter)
});

The Secure Implementation

The exploit leverages NoSQL query operators (like $gt, $ne, $in) passed via JSON. In the vulnerable snippet, using `serde_json::Value` allows the 'username' field to be a sub-object containing these operators. The fix implements a 'Type-Safe Boundary' pattern. By defining a struct with a `String` field and using `warp::body::json::()`, Serde will fail to deserialize the request if the attacker attempts to pass anything other than a primitive string. This effectively neuters operator injection at the middleware layer before it ever touches the database driver.

use warp::Filter;
use serde::Deserialize;
use mongodb::bson::doc;
#[derive(Deserialize)]
struct UserRequest {
// Enforcing String type prevents injection of nested objects/operators
username: String,
}
let route = warp::post()
.and(warp::path(“user”))
.and(warp::body::json::())
.map(|req: UserRequest| {
// req.username is guaranteed to be a String
let filter = doc! { “username”: req.username };
execute_query(filter)
});