Potential NoSQL injection in Realm query

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Potential NoSQL injection in Realm query

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: swift-security/realm-nosql-injection

Language: Swift

Severity: Error

Category: Security

CWE: 943

Description

This rule detects potential NoSQL injection vulnerabilities in iOS applications using the Realm database. The vulnerability occurs when a Realm query predicate is constructed by concatenating a static string with untrusted user input.

An attacker could provide specially crafted input that alters the logic of the NoSQL query. A successful exploit could allow the attacker to bypass authentication, access or modify sensitive data, or disrupt the application’s functionality.

To remediate this, avoid building queries using string concatenation. Instead, use parameterized queries with NSPredicate, which safely separates the query logic from user-provided values. For example, use NSPredicate(format: "name = %@", userInput) instead of "name = '\(userInput)'".

Non-Compliant Code Examples

import RealmSwift

class User: Object {
    @objc dynamic var username = ""
    @objc dynamic var isAdmin = false
}

func findUser(username: String) {
    let realm = try! Realm()
    
    // --- NON-COMPLIANT ---
    // The query predicate is built by concatenating a string with user input
    // *directly inside the filter call*. This pattern is detected by the rule.
    let results = realm.objects(User.self).filter("username = '" + username + "'")

    print("Found \(results.count) users.")
}

// Example usage
findUser(username: "guest' OR isAdmin = true")

Compliant Code Examples

import Foundation
import RealmSwift

class User: Object {
    @objc dynamic var username = ""
    @objc dynamic var isAdmin = false
}

func findUserSafely(username: String) {
    let realm = try! Realm()

    // --- COMPLIANT ---
    // The query uses NSPredicate, which safely handles user input.
    // There is no `additive_expression` here for the rule to find.
    let safePredicate = NSPredicate(format: "username = %@", username)
    let results = realm.objects(User.self).filter(safePredicate)

    print("Found \(results.count) users.")
}

// Example usage
findUserSafely(username: "guest' OR isAdmin = true")