express-mongo-sanitize
Advanced tools
express-mongo-sanitize - npm Package Compare versions
+13
| # Change Log | ||
| All notable changes to this project will be documented in this file. | ||
| This project adheres to [Semantic Versioning](http://semver.org/). | ||
| ## [1.1.0] - 2016-01-13 | ||
| ### Added | ||
| - The middleware also now sanitizes keys with a `.`. This is in line with Mongo's reserved operators. | ||
| ## 1.0.0 - 2015-11-11 | ||
| Initial Release. | ||
| [1.1.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.0.0...v1.1.0 |
+4
-2
@@ -9,3 +9,3 @@ 'use strict'; | ||
| Object.keys(val).forEach(function(key) { | ||
| if (/^\$/.test(key)) { | ||
| if (/^\$|\./.test(key)) { | ||
| delete val[key]; | ||
@@ -21,3 +21,5 @@ } else { | ||
| var middleware = function() { | ||
| var middleware = function(options) { | ||
| options = options || {}; | ||
| return function(req, res, next) { | ||
@@ -24,0 +26,0 @@ ['body', 'params', 'query'].forEach(function(k) { |
+1
-1
| { | ||
| "name": "express-mongo-sanitize", | ||
| "version": "1.0.0", | ||
| "version": "1.1.0", | ||
| "description": "Sanitize your express payload to prevent MongoDB operator injection.", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
+16
-9
@@ -29,3 +29,3 @@ 'use strict'; | ||
| request(app) | ||
| .get('/query?q=search&$where=malicious') | ||
| .get('/query?q=search&$where=malicious&dotted.data=some_data') | ||
| .set('Accept', 'application/json') | ||
@@ -48,3 +48,4 @@ .expect(200, { | ||
| stop: undefined, | ||
| $where: 'malicious' | ||
| $where: 'malicious', | ||
| 'dotted.data': 'some_data' | ||
| }) | ||
@@ -66,3 +67,3 @@ .set('Content-Type', 'application/json') | ||
| .post('/body') | ||
| .send('q=search&$where=malicious') | ||
| .send('q=search&$where=malicious&dotted.data=some_data') | ||
| .set('Content-Type', 'application/x-www-form-urlencoded') | ||
@@ -81,3 +82,3 @@ .set('Accept', 'application/json') | ||
| request(app) | ||
| .get('/query?username[$gt]=') | ||
| .get('/query?username[$gt]=foo&username[dotted.data]=some_data') | ||
| .set('Accept', 'application/json') | ||
@@ -95,3 +96,6 @@ .expect(200, { | ||
| .send({ | ||
| username: { $gt: '' } | ||
| username: { | ||
| $gt: 'foo', | ||
| 'dotted.data': 'some_data' | ||
| } | ||
| }) | ||
@@ -110,3 +114,3 @@ .set('Content-Type', 'application/json') | ||
| .post('/body') | ||
| .send('username[$gt]=') | ||
| .send('username[$gt]=foo&username[dotted.data]=some_data') | ||
| .set('Content-Type', 'application/x-www-form-urlencoded') | ||
@@ -125,3 +129,3 @@ .set('Accept', 'application/json') | ||
| request(app) | ||
| .get('/query?username[0][$gt]=') | ||
| .get('/query?username[0][$gt]=foo&username[0][dotted.data]=some_data') | ||
| .set('Accept', 'application/json') | ||
@@ -139,3 +143,6 @@ .expect(200, { | ||
| .send({ | ||
| username: [{ $gt: '' }] | ||
| username: [{ | ||
| $gt: 'foo', | ||
| 'dotted.data': 'some_data' | ||
| }] | ||
| }) | ||
@@ -154,3 +161,3 @@ .set('Content-Type', 'application/json') | ||
| .post('/body') | ||
| .send('username[0][$gt]=') | ||
| .send('username[0][$gt]=foo&username[0][dotted.data]=some_data') | ||
| .set('Content-Type', 'application/x-www-form-urlencoded') | ||
@@ -157,0 +164,0 @@ .set('Accept', 'application/json') |
New alerts
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
9630
9.15%- Number of package files
9
12.5%- Lines of code
178
4.71%Worsened metrics
- Number of low supply chain risk alerts
1
Infinity%