Critiq Docs
Get started
security.input-validation

Avoid request-driven model queries

Express handlers should not pass raw request objects into NoSQL filters, query helpers, or aggregation pipelines.

#Metadata

Rule ID
ts.security.express-nosql-injection
Severity
critical
Confidence
0.92
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
injection, nosql, rules-catalog, security

#Why it matters

Request-shaped filters, operators, or pipelines can expand query scope and inject unintended behavior.

#Remediation

Build the NoSQL query or aggregation pipeline from fixed fields or validated filter builders instead of passing request data directly.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.express-nosql-injection.rule.yaml.

Back to registryOpen rule in repository