Merge pull request #471 from AikidoSec/patch-mongodb-6-10

Use process.nextTick before wrapping Collection (mongodb v6.10.0)

library/package.json

@@ -94,7 +94,7 @@
     "mongodb": "~6.9",
     "mongodb-v4": "npm:mongodb@^4.0.0",
     "mongodb-v5": "npm:mongodb@^5.0.0",
-    "mongodb-v6": "npm:mongodb@~6.9",
+    "mongodb-v6": "npm:mongodb@^6.0.0",
     "mysql": "^2.18.1",
     "mysql2": "^3.10.0",
     "needle": "^3.3.1",

library/sinks/MongoDB.ts

@@ -2,6 +2,7 @@
 import type { Collection } from "mongodb-v6";
 import { Hooks } from "../agent/hooks/Hooks";
 import { InterceptorResult } from "../agent/hooks/InterceptorResult";
+import type { WrapPackageInfo } from "../agent/hooks/WrapPackageInfo";
 import { detectNoSQLInjection } from "../vulnerabilities/nosql-injection/detectNoSQLInjection";
 import { isPlainObject } from "../helpers/isPlainObject";
 import { Context, getContext } from "../agent/Context";
@@ -186,33 +187,48 @@ export class MongoDB implements Wrapper {
     return undefined;
   }
 
+  private wrapCollection(
+    exports: typeof import("mongodb-v6"),
+    pkgInfo: WrapPackageInfo
+  ) {
+    const collectionProto = exports.Collection.prototype;
+
+    OPERATIONS_WITH_FILTER.forEach((operation) => {
+      wrapExport(collectionProto, operation, pkgInfo, {
+        inspectArgs: (args, agent, collection) =>
+          this.inspectOperation(operation, args, collection as Collection),
+      });
+    });
+
+    wrapExport(collectionProto, "bulkWrite", pkgInfo, {
+      inspectArgs: (args, agent, collection) =>
+        this.inspectBulkWrite(args, collection as Collection),
+    });
+
+    wrapExport(collectionProto, "aggregate", pkgInfo, {
+      inspectArgs: (args, agent, collection) =>
+        this.inspectAggregate(args, collection as Collection),
+    });
+
+    wrapExport(collectionProto, "distinct", pkgInfo, {
+      inspectArgs: (args, agent, collection) =>
+        this.inspectDistinct(args, collection as Collection),
+    });
+  }
+
   wrap(hooks: Hooks) {
     hooks
       .addPackage("mongodb")
       .withVersion("^4.0.0 || ^5.0.0 || ^6.0.0")
       .onRequire((exports, pkgInfo) => {
-        const collectionProto = exports.Collection.prototype;
-
-        OPERATIONS_WITH_FILTER.forEach((operation) => {
-          wrapExport(collectionProto, operation, pkgInfo, {
-            inspectArgs: (args, agent, collection) =>
-              this.inspectOperation(operation, args, collection as Collection),
-          });
-        });
-
-        wrapExport(collectionProto, "bulkWrite", pkgInfo, {
-          inspectArgs: (args, agent, collection) =>
-            this.inspectBulkWrite(args, collection as Collection),
-        });
-
-        wrapExport(collectionProto, "aggregate", pkgInfo, {
-          inspectArgs: (args, agent, collection) =>
-            this.inspectAggregate(args, collection as Collection),
-        });
-
-        wrapExport(collectionProto, "distinct", pkgInfo, {
-          inspectArgs: (args, agent, collection) =>
-            this.inspectDistinct(args, collection as Collection),
+        // From mongodb v6.10.0, the Collection is undefined
+        // It's defined like:
+        // exports.Collection = void 0;
+        // const collection_1 = require("./collection");
+        // Object.defineProperty(exports, "Collection", { enumerable: true, get: function () { return collection_1.Collection; } });
+        // So we need to wait for the next tick to wrap the Collection
+        process.nextTick(() => {
+          this.wrapCollection(exports, pkgInfo);
         });
       });
   }

sample-apps/hono-mongodb/package.json

@@ -3,6 +3,6 @@
     "@aikidosec/firewall": "file:../../build",
     "@hono/node-server": "^1.11.2",
     "hono": "^4.4.2",
-    "mongodb": "^6.3.0"
+    "mongodb": "^6.11.0"
   }
 }