Sanitizing inputs to MongoDB
Python's JSON module should be safe to use with untrusted input, at least in its default configuration (i.e. you haven't supplied any of the custom decoders, which could potentially have exploits within them).
However, we cannot say with certainty that the results of json.loads() are safe to pass to pymongo's find() method. While the find() method will not modify (update or remove) data in mongodb, it is possible to craft intentionally very poorly performing queries, like the following which uses a specially-crafted $where clause to create very poor performance characteristics:
{"$where": "function() { for (var i=0; i<1000000; i++) {}; return true; }"}Note that this is both valid JSON, and a valid mongodb query against.
For this reason, I wouldn't permit user-crafted JSON to be used directly as a query against mongodb, unless your users are all trusted (i.e. clients that you control directly, such as other servers/components within an application).