Interlace ESLint
ESLint Interlace
MongoDBRules

require-schema-validation

Requires validation options on Mongoose schema fields to prevent invalid or malicious data.

Keywords: CWE-20, input validation, Mongoose, schema, security

Requires validation options on Mongoose schema fields to prevent invalid or malicious data.

⚠️ This rule warns by default in the recommended config.

Quick Summary

AspectDetails
CWE ReferenceCWE-20 (Improper Input Validation)
OWASPA04:2021 - Insecure Design
SeverityMedium (CVSS: 6.1)
CategorySecurity

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-20 OWASP:A06 CVSS:7.5 | Improper Input Validation detected | HIGH [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001]
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A06_2021/

Message Components

ComponentPurposeExample
Risk StandardsSecurity benchmarksCWE-20 OWASP:A06 CVSS:7.5
Issue DescriptionSpecific vulnerabilityImproper Input Validation detected
Severity & ComplianceImpact assessmentHIGH [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001]
Fix InstructionActionable remediationFollow the remediation steps below
Technical TruthOfficial referenceOWASP Top 10

Rule Details

Mongoose schemas without validation allow arbitrary data, potentially leading to:

  • Data corruption
  • Injection attacks
  • Business logic bypass

❌ Incorrect

// No validation - accepts any value
const userSchema = new Schema({
  email: String,
  role: String,
  age: Number,
});

✅ Correct

const userSchema = new Schema({
  email: {
    type: String,
    required: true,
    match: /^[^\s@]+@[^\s@]+\.[^\s@]+$/,
    maxlength: 255,
  },
  role: {
    type: String,
    enum: ['user', 'admin', 'moderator'],
    default: 'user',
  },
  age: {
    type: Number,
    min: 0,
    max: 150,
    validate: {
      validator: Number.isInteger,
      message: 'Age must be an integer',
    },
  },
});

Known False Negatives

Dynamic Schema Creation

// ❌ NOT DETECTED
const fields = {};
fields[fieldName] = String;
const schema = new Schema(fields);

When Not To Use It

  • For flexible schema designs (schemaless approach)
  • When validation is handled at application layer

References

require-projection

Requires field projection on queries to minimize data exposure.

require-tls-connection

Requires TLS/SSL encryption for MongoDB connections in production environments.

On this page

Quick SummaryError Message FormatMessage ComponentsRule Details❌ Incorrect✅ CorrectKnown False NegativesDynamic Schema CreationWhen Not To Use ItReferences