MongoEngine: if and how to sanitize search & data input?

Question

I'm using MongoEngine in a project, and I was wondering if and how I need to sanitize user input when creating documents and searching them.

For example, when I'm creating a document by providing data from resources like scraped RSS feeds (with feedparser), they can have almost any type of string as data:

RSS(
    rss_link=news.link,
    link=news.feed.link,
    title=news.feed.title,
    subtitle=news.feed.subtitle,
    summary=news.feed.summary,
).save()

Or, when I'm exposing said collection for user queries to find relevant RSS resources:

objects = RSS.objects.search_text(user_input).order_by('$text_score')

Does any type of input sanitization need to be done? Is it different for both cases? The documentation doesn't seem to be discussing this.

score 1 · Accepted Answer · answered Jan 08 '20 at 10:08

1

When saving a document, MongoEngine will run the field validation. If you use a user_input in a query, you need to sanitize it, in this case I believe ensuring that user_input is a string should be sufficient (if you are concerned about injection). As discussed here, injection can be achieved by using dictionaries so its important to sanitize

answered Jan 08 '20 at 10:08

bagerard

5,681
3
24
48

So If I understand correctly simply ensuring a string datatype is sufficient both for search & insertion? – Sergey Ronin Jan 08 '20 at 12:17
I believe so, during insertion mongoengine applies some validation (based on the type of field) but the general recommendation is to always sanitize user inputs – bagerard Jan 09 '20 at 13:07

MongoEngine: if and how to sanitize search & data input?

1 Answers1