-1

I am using mongoose create function to add to my collection. I am taking data from request body and passing it to create function like this -

const someVariable = req.body;

await userModelName.create(someVariable);

On veracode, it showing Improper Neutralization of Special Elements in Data Query Logic for this statement - await userModelName.create(someVariable);

Is there any way to modify this code to remove this alert from veracode ?

Vivek Jain
  • 2,730
  • 6
  • 12
  • 27
Estarossa
  • 21
  • 4

1 Answers1

0

You need to perform sanitization, validation or encoding with the req.body. It is a risk to blindly accept input that could potentially be tainted or coming from an untrusted source.

I assume that you are expecting input in a form of json so try escaping req.body using the js-string-escape library:

var jsescape = require('js-string-escape');
const someVariable = jsescape(req.body);
await userModelName.create(someVariable);

Now Veracode might not recognize this third-party encoding library and will still fail your scan. You will have to propose this as a mitigation step to your Security team.

Another alternative is to use Mongoose's Validation feature, if you are expecting specific types of data:

const schema = new Schema({
  name: {
    type: String,
    required: true
  }
});

const someVariable = escape(req.body);
await userModelName.create(someVariable, schema);

Again, Veracode might not recognize this too but these are secure coding best practices.

securecodeninja
  • 2,497
  • 3
  • 16
  • 22
  • Yeah, req.body has data in json form. So in mongoose create() function the data will be converted back to original form ? – Estarossa Sep 25 '20 at 10:26
  • i take my original answer back and modified my answer after realizing the output of the escape method isn't what you would expect – securecodeninja Sep 26 '20 at 02:42