mongoose-mongodb-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# MongoDB / Mongoose Security Audit
Audit MongoDB usage (raw driver and Mongoose ODM) for NoSQL-specific vulnerabilities.
## When this skill applies
- Reviewing Mongoose schemas and model usage
- Auditing raw MongoDB driver queries
- Checking for NoSQL operator injection
- Reviewing aggregation pipelines for safety
- Auditing tenant scoping across queries
## Workflow
Follow `../_shared/audit-workflow.md`. Companion: `prisma-orm-security` for IDOR/mass-assignment patterns generally.
### Phase 1: Stack detection
```bash
grep -E '"(mongoose|mongodb|@mongodb)":' package.json
mongosh --version 2>/dev/null
```
### Phase 2: Inventory
```bash
# Mongoose schemas
grep -rn 'new mongoose.Schema\|new Schema(' src/ | head
# Model queries
grep -rnE 'Model\.(find|findOne|findById|create|update|delete|aggregate)' src/ | head -30
# Operator-bearing queries (potential injection)
grep -rn '\$where\|\$ne\|\$gt\|\$lt\|\$regex' src/
# Aggregation pipelines
grep -rn '\.aggregate(' src/ | head
# Connection strings
grep -rn 'mongodb://\|mongodb+srv://' src/
```
### Phase 3: Detection — the checks
#### NoSQL operator injection
The classic attack: user submits `{ "$gt": "" }` for a password field; query matches any document.
```js
// BAD — accepts arbitrary operator objects
app.post('/login', async (req, res) => {
const user = await User.findOne({ email: req.body.email, password: req.body.password });
// Attacker: { email: { $ne: "" }, password: { $ne: "" } } — finds any user
});
/