Interlace ESLint
ESLint Interlace
MongoDBRules

no-bypass-middleware

Detects Mongoose operations that bypass middleware hooks (pre/post hooks).

Keywords: CWE-284, middleware, hooks, Mongoose, pre, post, security

Detects Mongoose operations that bypass middleware hooks (pre/post hooks).

⚠️ This rule warns by default in the recommended config.

Quick Summary

AspectDetails
CWE ReferenceCWE-284 (Improper Access Control)
OWASPA01:2021 - Broken Access Control
SeverityMedium (CVSS: 5.3)
CategorySecurity

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-284 OWASP:A01 CVSS:7.5 | Improper Access Control detected | HIGH
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A01_2021/

Message Components

ComponentPurposeExample
Risk StandardsSecurity benchmarksCWE-284 OWASP:A01 CVSS:7.5
Issue DescriptionSpecific vulnerabilityImproper Access Control detected
Severity & ComplianceImpact assessmentHIGH
Fix InstructionActionable remediationFollow the remediation steps below
Technical TruthOfficial referenceOWASP Top 10

Rule Details

Some Mongoose methods bypass middleware hooks, which may skip:

  • Password hashing
  • Audit logging
  • Access control checks
  • Data sanitization

Methods That Bypass Middleware

MethodRuns save Middleware?
Model.updateOne()❌ No
Model.updateMany()❌ No
Model.findOneAndUpdate()❌ No
Model.findByIdAndUpdate()❌ No
document.save()✅ Yes

❌ Incorrect

// Bypasses pre('save') middleware - password won't be hashed!
User.findByIdAndUpdate(id, { password: 'newpassword' });

// Bypasses all document middleware
User.updateMany({ role: 'user' }, { verified: true });

✅ Correct

// Use findOne + save to trigger middleware
const user = await User.findById(id);
user.password = 'newpassword';
await user.save(); // pre('save') runs, password gets hashed

// Or use update hooks (if implemented)
userSchema.pre('findOneAndUpdate', function () {
  // Hash password here if modified
});

Known False Negatives

Dynamic Method Calls

// ❌ NOT DETECTED
const method = 'updateOne';
Model[method]({ ... });

When Not To Use It

  • When you've implemented pre('updateOne') and similar hooks
  • For operations that intentionally skip middleware

References

Rules

All MongoDB rules for NoSQL injection prevention

no-debug-mode-production

Detects Mongoose debug mode that could expose sensitive query information in production.

On this page

Quick SummaryError Message FormatMessage ComponentsRule DetailsMethods That Bypass Middleware❌ Incorrect✅ CorrectKnown False NegativesDynamic Method CallsWhen Not To Use ItReferences