fix(mongodb): Ensure arbitrary objects can't be passed as MongoDB ids (#3664)

daffl · web-flow · commit 163e664f231a · 2026-03-04T12:43:29.000-08:00
diff --git a/packages/mongodb/src/adapter.ts b/packages/mongodb/src/adapter.ts
@@ -86,6 +86,9 @@ export class MongoDbAdapter<
     const { $select, $sort, $limit: _limit, $skip = 0, ...query } = (params.query || {}) as AdapterQuery
     const $limit = getLimit(_limit, options.paginate)
     if (id !== null) {
+      if (typeof id !== 'string' && typeof id !== 'number' && !(id instanceof ObjectId)) {
+        throw new BadRequest(`Invalid id '${JSON.stringify(id)}'`)
+      }
       query.$and = (query.$and || []).concat({
         [this.id]: this.getObjectId(id)
       })
diff --git a/packages/mongodb/test/index.test.ts b/packages/mongodb/test/index.test.ts
@@ -839,6 +839,65 @@ describe('Feathers MongoDB Service', () => {
     })
   })
 
+  describe('NoSQL injection via object id', () => {
+    let target: Person
+
+    beforeEach(async () => {
+      target = await app.service('people').create({ name: 'Target' })
+    })
+
+    afterEach(async () => {
+      try {
+        await app.service('people').remove(target._id)
+      } catch (e: unknown) {}
+    })
+
+    it('rejects object as id in get', async () => {
+      await assert.rejects(
+        () => app.service('people').get({ $ne: null } as any),
+        {
+          name: 'BadRequest'
+        }
+      )
+    })
+
+    it('rejects object as id in remove', async () => {
+      await assert.rejects(
+        () => app.service('people').remove({ $ne: null } as any),
+        {
+          name: 'BadRequest'
+        }
+      )
+    })
+
+    it('rejects object as id in update', async () => {
+      await assert.rejects(
+        () => app.service('people').update({ $ne: null } as any, { name: 'Hacked' }),
+        {
+          name: 'BadRequest'
+        }
+      )
+    })
+
+    it('rejects object as id in patch', async () => {
+      await assert.rejects(
+        () => app.service('people').patch({ $ne: null } as any, { name: 'Hacked' }),
+        {
+          name: 'BadRequest'
+        }
+      )
+    })
+
+    it('rejects regex operator as id', async () => {
+      await assert.rejects(
+        () => app.service('people').get({ $regex: '^' } as any),
+        {
+          name: 'BadRequest'
+        }
+      )
+    })
+  })
+
   testSuite(app, errors, 'people', '_id')
   testSuite(app, errors, 'people-customid', 'customid')
 })
