How to Disable Server-Side Javascript on MongoDB
Learn how to protect yourMongoDB server from NoSQL injection attacks by disabling server-side Javascript features
All of the following MongoDB operations permit you to run arbitrary JavaScript expressions directly on the server:
These methods can be really convenient, but they pose a huge security risk to your database integrity if your application does not sanitize and escape user-provided values properly, as proven by many reports of NoSQL injection attacks.
Indeed, you can express most queries in MongoDB without JavaScript, so the most sensible option is to completely disable sever-side Javascript.
Disabling server-side Javascript on MongoDB
Open /etc/mongod.conf
with your favorite code editor and look for the security section:
security:
authorization: "enabled"
If you can’t find
mongod.conf
or it is namedmongodb.conf
instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)
Make sure to add the following line inside the security
section:
javascriptEnabled: false
Now save the file and restart mongod
:
$ sudo service mongodb restart
Done! Your deployment is now resistant to NoSQL injections!