NoSQL Injection

User input parsed as a MongoDB query operator (or similar in CouchDB / Redis-Search) gets pushed through to the database driver. sanitizeObject walks the request body and strips dangerous keys before your handler sees them.

What it catches

35 MongoDB query operators, blocked at the object-key level (case-insensitive after NFKC):

• Comparison: $gt, $gte, $lt, $lte, $ne, $in, $nin
• Logical: $and, $or, $not, $nor
• Element: $exists, $type
• Evaluation: $expr, $jsonSchema, $mod, $regex, $text, $where
• JS execution: $function, $accumulator
• Aggregation pipeline injection: $lookup, $facet, $replaceRoot, $merge, $out
• Array: $all, $elemMatch, $size

Sample payload

// Login route receives JSON body:
{ "username": "admin", "password": { "$gt": "" } }

// After Arcis sanitizeObject():
{ "username": "admin", "password": {} }

// In block mode: 403, vector=nosql, rule=patterns.nosql.dangerous-operator

Configuration

app.use(arcis({
  block: true,
  sanitize: {
    nosql: {
      enabled: true,
      allowKeys: []   // per-route opt-in for specific operators if you really need them
    }
  }
}));

Disable or dry-run

// Skip on an admin route that legitimately accepts an aggregation pipeline
app.post('/admin/aggregate', arcis({ sanitize: { nosql: false } }), handler);

References

• CWE-943
• MongoDB operator reference
• OWASP WSTG: NoSQL Injection