fix: Prevent NoSQL injection in secret-based authentication

codergautam · claude · codergautam · commit ec561632bd2f · 2026-02-01T01:18:46.000-06:00
- validateSecret.js: Add type check before MongoDB query
- googleAuth.js: Validate secret is string before findOne
- eloRank.js: Add type check for secret parameter
- mapHome.js: Move type validation BEFORE the database query

Attackers could send {"secret": {"$ne": null}} to bypass auth
and authenticate as any user in the database.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/api/eloRank.js b/api/eloRank.js
@@ -35,7 +35,8 @@ export default async function handler(req, res) {
     let user;
     if(username) {
       user = await User.findOne({ username: username }).collation(USERNAME_COLLATION).cache(120);
-    } else if(secret) {
+    } else if(secret && typeof secret === 'string') {
+      // Prevent NoSQL injection - secret must be a string
       user = await User.findOne({ secret }).cache(120);
     }
 
diff --git a/api/googleAuth.js b/api/googleAuth.js
@@ -107,7 +107,8 @@ export default async function handler(req, res) {
 
   const { code, secret } = req.body;
   if (!code) {
-    if(!secret) {
+    // Prevent NoSQL injection - secret must be a string
+    if(!secret || typeof secret !== 'string') {
       return res.status(400).json({ error: 'Invalid' });
     }
 
diff --git a/api/map/mapHome.js b/api/map/mapHome.js
@@ -40,12 +40,13 @@ export default async function handler(req, res) {
 
   // Skip user lookup for anonymous requests
   if(secret && !isAnon) {
-    const startUser = Date.now();
-    user = await User.findOne({ secret: secret });
-    timings.userLookup = Date.now() - startUser;
+    // Prevent NoSQL injection - validate secret type BEFORE the query
     if(typeof secret !== 'string') {
       return res.status(400).json({ message: 'Invalid input' });
     }
+    const startUser = Date.now();
+    user = await User.findOne({ secret: secret });
+    timings.userLookup = Date.now() - startUser;
     if(!user) {
       return res.status(404).json({ message: 'User not found' });
     }
diff --git a/serverUtils/validateSecret.js b/serverUtils/validateSecret.js
@@ -1,4 +1,9 @@
 export default async function validateSecret(secret, User) {
+  // Prevent NoSQL injection - secret must be a string
+  if (typeof secret !== 'string') {
+    return null;
+  }
+
   const user = await User.findOne({
     secret
   });

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,8 @@ export default async function handler(req, res) {`
`35`	`35`	`let user;`
`36`	`36`	`if(username) {`
`37`	`37`	`user = await User.findOne({ username: username }).collation(USERNAME_COLLATION).cache(120);`
`38`		`- } else if(secret) {`
	`38`	`+ } else if(secret && typeof secret === 'string') {`
	`39`	`+ // Prevent NoSQL injection - secret must be a string`
`39`	`40`	`user = await User.findOne({ secret }).cache(120);`
`40`	`41`	`}`
`41`	`42`
Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,8 @@ export default async function handler(req, res) {`
`107`	`107`
`108`	`108`	`const { code, secret } = req.body;`
`109`	`109`	`if (!code) {`
`110`		`- if(!secret) {`
	`110`	`+ // Prevent NoSQL injection - secret must be a string`
	`111`	`+ if(!secret \|\| typeof secret !== 'string') {`
`111`	`112`	`return res.status(400).json({ error: 'Invalid' });`
`112`	`113`	`}`
`113`	`114`