How to prevent no sql injetion when using Morphia with java ee?

329 views Asked by At

I'm using MongoDB with Morphia Object Document Mapper in Java EE.

@Override
public void removeTrustedDevice(String username, String cookieValue) {
    MongoConnection conn = MongoConnection.getInstance();
    TrustedDeviceDao dao = new TrustedDeviceDao(conn.getDatastore());
    Query<TrustedDevice> query = dao.createQuery();
    query.and(
            query.criteria("username").equal(username),
            query.criteria("cookieValue").equal(cookieValue)
    );

    List<TrustedDevice> deviceList = query.asList();

    if (deviceList != null && !deviceList.isEmpty()) {
        dao.delete(deviceList.get(0));
    }
}

Is there any probability for No SQL injection? If yes, so please give me suggestion or example for prevention.

1

There are 1 answers

3
evanchooly On BEST ANSWER

I won't say that the chances of such an attack are 0 because hackers are clever, determined types but I will say that you needn't worry overly much about it and that, in all my years of working with and for MongoDB, I've never heard of such an attack being carried out.

SQL injection attacks work, in part, by leveraging the fact that SQL queries are parsed and evaluated on the server side. Mongo queries arrive at the server already in Document format. MongoDB queries don't support comments in the same way as SQL does and so that attack vector isn't available. Because the queries are already in a well-defined, structured format and aren't parsed on the server, it is much, much harder to pull off a similar attack.