Rules
All ESLint security rules provided by eslint-plugin-mongodb-security
16 Security Rules
Comprehensive coverage of NoSQL injection, credential exposure, and MongoDB/Mongoose vulnerabilities.
All Rules
| Rule | 💼 | 🔧 | 💡 | ⚠️ | Docs |
|---|---|---|---|---|---|
| no-bypass-middleware Detects Mongoose operations that bypass middleware hooks (pre/post hooks). | |||||
| no-debug-mode-production Detects Mongoose debug mode that could expose sensitive query information in production. | |||||
| no-hardcoded-connection-string Detects hardcoded MongoDB connection strings containing credentials in source code. | |||||
| no-hardcoded-credentials Detects hardcoded MongoDB authentication credentials in connection options. | |||||
| no-operator-injection Detects MongoDB operator injection attacks where user input is passed directly as query values, allowing attackers to... | |||||
| no-select-sensitive-fields Detects queries that may return sensitive fields like passwords, tokens, or API keys. | |||||
| no-unbounded-find Requires limit() on find queries to prevent resource exhaustion from unbounded result sets. | |||||
| no-unsafe-populate Detects user-controlled populate() paths that could lead to data exposure or injection. | |||||
| no-unsafe-query Prevents NoSQL injection by detecting direct use of user input in MongoDB query objects. | |||||
| no-unsafe-regex-query Detects user input in MongoDB $regex operators that could cause ReDoS (Regular Expression Denial of Service) or infor... | |||||
| no-unsafe-where Prevents use of the dangerous $where operator which executes JavaScript on the MongoDB server, enabling Remote Code E... | |||||
| require-auth-mechanism Requires explicit authentication mechanism specification for MongoDB connections. | |||||
| require-lean-queries Suggests using .lean() for read-only Mongoose queries to reduce memory usage. | |||||
| require-projection Requires field projection on queries to minimize data exposure. | |||||
| require-schema-validation Requires validation options on Mongoose schema fields to prevent invalid or malicious data. | |||||
| require-tls-connection Requires TLS/SSL encryption for MongoDB connections in production environments. |
Rule Categories
NoSQL Injection Prevention
Rules detecting operator injection, unsafe queries, and regex-based attacks.
Credential Security
Rules preventing hardcoded credentials and connection strings.
Query Safety
Rules enforcing bounded queries, projections, and lean query patterns.
Connection Security
Rules requiring TLS connections and proper authentication mechanisms.