Plugin: mongodb-securityRules
require-schema-validation
ESLint rule documentation for require-schema-validation
📡 Live from GitHub — This documentation is fetched directly from require-schema-validation.md and cached for 6 hours.
Keywords: CWE-20, input validation, Mongoose, schema, security
Requires validation options on Mongoose schema fields to prevent invalid or malicious data.
Requires validation options on Mongoose schema fields to prevent invalid or malicious data.
⚠️ This rule warns by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-20 (Improper Input Validation) |
| OWASP | A04:2021 - Insecure Design |
| Severity | Medium (CVSS: 6.1) |
| Category | Security |
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-20 OWASP:A06 CVSS:7.5 | Improper Input Validation detected | HIGH [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A06_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-20 OWASP:A06 CVSS:7.5 |
| Issue Description | Specific vulnerability | Improper Input Validation detected |
| Severity & Compliance | Impact assessment | HIGH [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
Mongoose schemas without validation allow arbitrary data, potentially leading to:
- Data corruption
- Injection attacks
- Business logic bypass
❌ Incorrect
// No validation - accepts any value
const userSchema = new Schema({
email: String,
role: String,
age: Number,
});✅ Correct
const userSchema = new Schema({
email: {
type: String,
required: true,
match: /^[^\s@]+@[^\s@]+\.[^\s@]+$/,
maxlength: 255,
},
role: {
type: String,
enum: ['user', 'admin', 'moderator'],
default: 'user',
},
age: {
type: Number,
min: 0,
max: 150,
validate: {
validator: Number.isInteger,
message: 'Age must be an integer',
},
},
});Known False Negatives
Dynamic Schema Creation
// ❌ NOT DETECTED
const fields = {};
fields[fieldName] = String;
const schema = new Schema(fields);When Not To Use It
- For flexible schema designs (schemaless approach)
- When validation is handled at application layer