Getting Started with eslint-plugin-mongodb-security

Ofri Peretz Posted on May 31 • Originally published at ofriperetz.dev           Getting Started with eslint-plugin-mongodb-security # eslint # security # node # devsecops MongoDB stores JavaScript objects. Your query is already structured data — there is no "query string" to inject into. Which is exactly why NoSQL injection looks different from SQL injection, and why generic security linters miss it. The attack isn't ; DROP TABLE users; -- . It's this: // POST body: { "username": "admin", "password": { "$ne": null } } await db . collection ( " users " ). findOne ({ username : req . body . username , password : req . body . password , // ← operator injection bypasses auth }); Enter fullscreen mode Exit fullscreen mode eslint-plugin-mongodb-security is the only ESLint plugin built specifically for MongoDB/Mongoose codebases. Here's how to use it. Install npm install eslint-plugin-mongodb-security --save-dev Enter fullscreen mode Exit fullscreen mode eslint.config.mjs : import mongodbSecurity from " eslint-plugin-mongodb-security " ; export default [ { plugins : { " mongodb-security " : mongodbSecurity }, rules : mongodbSecurity . configs . flagship . rules , }, ]; Enter fullscreen mode Exit fullscreen mode The three rules you need most 1. no-unsafe-query — NoSQL operator injection (CWE-943, CVSS 9.8) Fires when a $where , $expr , or $function operator receives a value directly from user input — the exact pattern that lets an attacker inject arbitrary query logic. // ❌ Flagged — $where with user-controlled JavaScript db . collection ( " orders " ). find ({ $where : `this.total > ${ req . query . minTotal } ` , }); Enter fullscreen mode Exit fullscreen mode // ✅ Safe — use $gt instead of $where db . collection ( " orders " ). find ({ total : { $gt : Number ( req . query . minTotal ) }, }); Enter fullscreen mode Exit fullscreen mode 2. no-operator-injection — Query operator in request body (CWE-943, CVSS 9.1) When req.body (or any request