"NoSQL means Not-injectable, right?" makes no sense for me. It doesnt matter which type of database technology you are using. As any other database there are security roles. No mongodb query should be executed as an admin. You can restrict that up to document level. You can even create read-only views. You should always validate you payload. Use e.g Joi <a href="https://github.com/hapijs/joi" rel="nofollow">https://github.com/hapijs/joi</a>. Someone who doesn't validate his payload and pass it up to the driver should not be surprised.
This isn't injection at all. No commands other than the find are being performed. Little Bobby Tables (Little Bobby Collections?) will not have any luck here.<p>In addition to the fact that you can't execute arbitrary commands with this example, the example itself is flawed. If the programmer's intention was to exclude "secret projects" from all searches, then they should have written the query to do that. They didn't, and allowed multiple other ways of accessing those records.<p>Writing some code that does something different to what you intended it to do is not a NoSQL injection, it's just bad code.
Noob question. I get that this is a problem and what it could do, but wouldn't doing simple checks and validations of any client input solve this problem?
If you're letting users query against a collection using a fairly arbitrary filter, then not having something to ensure they are authorized to view (or update, etc.) the results is almost certainly a mistake. Also describing $gte as a "command" seems misleading; if you could use $where in embedded queries it would maybe be a different story, but since I don't think you can, this seems hyperbolic.