Potential NoSQL injection in Realm query

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: swift-security/realm-nosql-injection

Language: Unknown

Severity: Error

Category: Security

CWE: 943

Description

This rule detects potential NoSQL injection vulnerabilities in iOS applications using the Realm database. The vulnerability occurs when a Realm query predicate is constructed by concatenating a static string with untrusted user input.

An attacker could provide specially crafted input that alters the logic of the NoSQL query. A successful exploit could allow the attacker to bypass authentication, access or modify sensitive data, or disrupt the application’s functionality.

To remediate this, avoid building queries using string concatenation. Instead, use parameterized queries with NSPredicate, which safely separates the query logic from user-provided values. For example, use NSPredicate(format: "name = %@", userInput) instead of "name = '\(userInput)'".

Non-Compliant Code Examples

import RealmSwift

class User: Object {
    @objc dynamic var username = ""
    @objc dynamic var isAdmin = false
}

func findUser(username: String) {
    let realm = try! Realm()
    
    // --- NON-COMPLIANT ---
    // The query predicate is built by concatenating a string with user input
    // *directly inside the filter call*. This pattern is detected by the rule.
    let results = realm.objects(User.self).filter("username = '" + username + "'")

    print("Found \(results.count) users.")
}

// Example usage
findUser(username: "guest' OR isAdmin = true")

Compliant Code Examples

import Foundation
import RealmSwift

class User: Object {
    @objc dynamic var username = ""
    @objc dynamic var isAdmin = false
}

func findUserSafely(username: String) {
    let realm = try! Realm()

    // --- COMPLIANT ---
    // The query uses NSPredicate, which safely handles user input.
    // There is no `additive_expression` here for the rule to find.
    let safePredicate = NSPredicate(format: "username = %@", username)
    let results = realm.objects(User.self).filter(safePredicate)

    print("Found \(results.count) users.")
}

// Example usage
findUserSafely(username: "guest' OR isAdmin = true")
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains