You must be very careful with security when executing JavaScript on the server. If done
incorrectly, server-side JavaScript is susceptible to injection attacks similar to those that
occur in a relational database. However, by following certain rules around accepting
input, you can use JavaScript safely. Alternatively, you can turn off JavaScript execution
altogether by running mongod with the --noscripting option.
The security issues with JavaScript are all related to executing user-provided programs
on the server. You want to avoid doing that, so make sure you aren’t accepting user input
and passing it directly to mongod. For example, suppose you want to print “Hello,
name!”, where name is provided by the user. A naive approach might be to write a Java‐
Script function such as the following:
> func = "function() { print('Hello, "+name+"!'); }"
If name is a user-defined variable, it could be the string "'); db.dropDatabase();
print('", which would turn the code into this:
> func = "function() { print('Hello, '); db.dropDatabase(); print('!'); }"
Now, if you run this code, your entire database will be dropped!