Hey all,
I wrote up an article this week that goes over NoSQL injection in Phoenix applications. It piggy-backs off of my last article about using MongoDB with Elixir.
The general idea is that if you’re using the MongoDB driver directly (not through Ecto), you need to be very careful about how you handle user-provided data. Unsanitized user input placed into a Mongo query can potentially contain query objects (or any other JSON-serializable types), which can be very dangerous.
This kind of thing was much more prevelant in Meteor, where I come from most recently, but I figured I’d do a write-up on it in the context of Elixir/Phoenix as a PSA for the community.
I hope it helps!