New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Modified MIT License
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/nosql-injection-risk

Building a NoSQL query from raw client input lets an attacker inject operator-shaped keys or `$where` code and read or alter data they should not.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: production .js/.ts/.jsx/.tsx/.py files; test/build/doc/generated paths skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires on operator-shaped query construction: a $where value built from a template-literal ${…}, a function, or a Python f-string; .find(JSON.parse(req|request.…)); an .aggregate([{ … $where … }]) pipeline; new RegExp(req|request.…); or a $regex: req|request.… operator. Comments are stripped for JS/TS. FALSE POSITIVE: the $where/$regex/RegExp value is a hard-coded server-side constant rather than client input, or the JSON.parse(req…) result is validated/coerced (operator keys stripped, fields cast to scalars) before it reaches the query — the static check cannot see that sanitization and may over-report.

Fix prompt

Use this once validation confirms the diagnostic is real.

Coerce each query field to its expected scalar type (for example String(req.query.id)) and reject objects or $-prefixed operator keys from client input before building the filter. Avoid $where (server-side JavaScript) entirely, replace request-derived new RegExp/$regex with anchored, escaped patterns or exact matches, and never pass JSON.parse(req.body) straight into .find/.aggregate.