Potential NoSQL injection in Realm query

Documentos > Datadog Security > Code Security > Static Code Analysis (SAST) > Reglas de SAST > Potential NoSQL injection in Realm query

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

ID: swift-security/realm-nosql-injection

Language: Unknown

Severity: Error

Category: Security

CWE: 943

Description

This rule detects potential NoSQL injection vulnerabilities in iOS applications using the Realm database. The vulnerability occurs when a Realm query predicate is constructed by concatenating a static string with untrusted user input.

An attacker could provide specially crafted input that alters the logic of the NoSQL query. A successful exploit could allow the attacker to bypass authentication, access or modify sensitive data, or disrupt the application’s functionality.

To remediate this, avoid building queries using string concatenation. Instead, use parameterized queries with NSPredicate, which safely separates the query logic from user-provided values. For example, use NSPredicate(format: "name = %@", userInput) instead of "name = '\(userInput)'".

Non-Compliant Code Examples

import RealmSwift

class User: Object {
    @objc dynamic var username = ""
    @objc dynamic var isAdmin = false
}

func findUser(username: String) {
    let realm = try! Realm()
    
    // --- NON-COMPLIANT ---
    // The query predicate is built by concatenating a string with user input
    // *directly inside the filter call*. This pattern is detected by the rule.
    let results = realm.objects(User.self).filter("username = '" + username + "'")

    print("Found \(results.count) users.")
}

// Example usage
findUser(username: "guest' OR isAdmin = true")

Compliant Code Examples

import Foundation
import RealmSwift

class User: Object {
    @objc dynamic var username = ""
    @objc dynamic var isAdmin = false
}

func findUserSafely(username: String) {
    let realm = try! Realm()

    // --- COMPLIANT ---
    // The query uses NSPredicate, which safely handles user input.
    // There is no `additive_expression` here for the rule to find.
    let safePredicate = NSPredicate(format: "username = %@", username)
    let results = realm.objects(User.self).filter(safePredicate)

    print("Found \(results.count) users.")
}

// Example usage
findUserSafely(username: "guest' OR isAdmin = true")