ast/nosql-injection-where-user-input
NoSQL injection: $where operator with user-controlled value
What it detects
A MongoDB query passes `$where` with a value sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. The Mongo server evaluates `$where` as JavaScript, so the attacker controls server-side code: `this.password.match(/^a.*/)` style payloads exfiltrate other users' fields one char at a time. Replace `$where` with declarative operators (`$regex`, `$eq`, `$in`) and validate the user input first, or drop `$where` support entirely on this collection.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.