feat: add NoSQL injection skill#404
Conversation
Greptile SummaryThis PR migrates the NoSQL injection guidance from Confidence Score: 3/5Hold for CouchDB section — the skill claims coverage it doesn't deliver, which will mislead agents testing CouchDB-backed targets One P1 finding: CouchDB is declared in-scope in both the intro and the PR description deliverables list, but no CouchDB section exists in the file. This creates a false sense of coverage — the same defect flagged for Cassandra in the prior review round. Score sits at 3/5 (below the P1 ceiling of 4) because the gap directly contradicts stated deliverables. strix/skills/vulnerabilities/nosql_injection.md — missing CouchDB section Important Files Changed
Prompt To Fix All With AIFix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
strix/skills/vulnerabilities/nosql_injection.md:8
**CouchDB listed in scope and PR description but never covered**
The introduction explicitly claims "CouchDB...each have distinct injection surfaces," and the PR description lists "CouchDB: Mango query selector injection" as a delivered item. However, CouchDB appears nowhere else in the file — no Attack Surface entry, no Key Vulnerabilities section, no testing steps. An agent loading this skill is told CouchDB has a distinct injection model but is given zero guidance on Mango query selector injection (`$eq`, `$ne`, `$gt`, `$regex` operators against `_find`), `_all_docs` manipulation, or `_design` view JavaScript injection. This is the same gap the previous review flagged for Cassandra in the old file, now recurring for CouchDB in the new file.
### Issue 2 of 2
strix/skills/vulnerabilities/nosql_injection.md:3
The frontmatter `description` lists Redis, DynamoDB, Elasticsearch, and Neo4j but omits Cassandra and CouchDB — both of which are present in the body. Skill routing and search tooling that indexes this field will not surface the skill for Cassandra or CouchDB queries.
```suggestion
description: NoSQL injection testing covering MongoDB operator injection, authentication bypass, blind extraction, GraphQL variable injection, and Redis/Elasticsearch/DynamoDB/Cassandra/CouchDB/Neo4j-specific attack surfaces
```
Reviews (3): Last reviewed commit: "expand nosql_injection skill, remove leg..." | Re-trigger Greptile |
Replace minimal nosql_injection.md with comprehensive version from usestrix#404 covering MongoDB operator injection, Redis/Elasticsearch/DynamoDB attack surfaces, blind extraction, bypass techniques, and validation methodology.
Add a new vulnerability skill covering NoSQL injection across MongoDB, Redis, Elasticsearch, DynamoDB, and CouchDB. The existing SQL injection skill covers relational databases only; NoSQL stores have fundamentally different injection models (operator injection, operator embedding, RESP protocol injection, Lucene query injection) that require separate guidance. Coverage: - MongoDB operator injection ($ne, $gt, $regex, $where, $expr) for authentication bypass and blind data extraction - Character-by-character $regex blind extraction of tokens and secrets - $where JavaScript injection with sleep-based timing oracle - Aggregation pipeline injection ($match, $lookup stage widening) - Redis RESP protocol injection via newline-delimited command smuggling - Elasticsearch query_string Lucene injection and Painless script injection - DynamoDB PartiQL filter expression injection - Bracket-notation form-body operator delivery (Express body-parser) - Bypass techniques: type coercion, encoding, operator alternatives Includes full detection flow, validation steps, and false-positive conditions (Mongoose strict mode, string casting middleware).
…sandra CQL injection Three reviewer findings addressed: P1 — $where version boundary: corrected from 'disabled by default in MongoDB 4.4+' to 'disabled by default in MongoDB 7.0+'. MongoDB 4.4 deprecated server-side JavaScript but left javascriptEnabled defaulting to true; the feature was not disabled by default until 7.0. The section now explicitly notes that 4.4-6.x targets are still exploitable unless explicitly hardened. P1 — Pro Tip usestrix#3: updated to match the corrected version boundary. Previous text 'available and dangerous on pre-4.4' contradicted the main section and would cause testers to skip $where on 4.4-6.x. Now states 'active by default on pre-7.0 instances, including 4.4-6.x'. P1 — Cassandra coverage gap: the introduction claimed Cassandra as a covered attack surface but the skill body had no Cassandra content. Added Cassandra to the Attack Surface section (CQL injection, ALLOW FILTERING predicates, UDF injection) and added a Cassandra CQL Injection subsection in Key Vulnerabilities covering string concatenation injection, authentication bypass, and boolean extraction.
- Add Neo4j Cypher / APOC, GraphQL variable injection, MongoDB $function, SSJS detection, DoS surface, $not / structure-manipulation bypasses, and PyMongo/Morphia ODM patterns ported from the legacy .jinja prompt. - Annotate $where payloads to distinguish timing-oracle from direct-filter variants; wrap $function example in its required $expr context. - Tighten Attack Surface to high-level surfaces and code patterns instead of duplicating the per-DB content in Key Vulnerabilities; drop Pro Tips that restated body content. - Remove strix/prompts/vulnerabilities/nosql_injection.jinja — superseded by this skill, and not referenced anywhere else in the codebase.
73a78dc to
0c17c5a
Compare
CouchDB was named in the intro and stores-in-scope but had no Key Vulnerabilities entry. Add Mango selector operator payloads against _find, _design view JavaScript injection, and _all_docs / admin-party checks. Also surface CouchDB in the testing methodology step for non-MongoDB stores.
Summary
The existing
sql_injectionskill covers relational databases (MySQL, PostgreSQL, MSSQL, Oracle). NoSQL stores have fundamentally different injection models — operator injection, structure injection, RESP protocol injection, and Lucene query injection — requiring separate guidance. MongoDB alone powers a significant portion of modern web backends, and its$ne/$gt/$regexoperator injection bypassing authentication is one of the most consistently findable vulnerabilities in Node.js stacks.This PR adds
strix/skills/vulnerabilities/nosql_injection.md.What's Added
New file:
strix/skills/vulnerabilities/nosql_injection.mdMongoDB coverage:
$ne,$gt,$regex,$in) for authentication bypass — both JSON body and bracket-notation form fields$regexwith binary search methodology$whereJavaScript injection withsleep()-based timing oracle (MongoDB < 4.4)$match/$lookupstages{strict: false}and ODM wrapper identificationAdditional NoSQL stores:
\r\ncommand smugglingquery_stringinjection, Painless script injection via_updateDetection:
MongoError,CastError,ValidationError)body-parserbehavior)Test Plan
{"username": {"$ne": null}, "password": {"$ne": null}}to a login endpoint — confirm bypassusername[$ne]=invalid&password[$ne]=invalidin form body — confirm same bypass$regexblind extraction to retrieve first character of a password hash or reset token$wheretiming differential on a MongoDB < 4.4 targetquery_stringwithrole:adminagainst a user search endpointmake check-all