express-mongo-sanitize
Advanced tools
Comparing version 1.3.0 to 1.3.1
@@ -5,2 +5,7 @@ # Change Log | ||
## [1.3.1] - 2017-01-12 | ||
### Fixed | ||
- Fixed an issue with objects containing prohibited keys nested inside other objects with prohibited keys. #2 | ||
- Added a more robust check for plain objects. | ||
## [1.3.0] - 2016-01-15 | ||
@@ -22,4 +27,5 @@ ### Added | ||
[1.3.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.0...v1.3.1 | ||
[1.3.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.2.0...v1.3.0 | ||
[1.2.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.1.0...v1.2.0 | ||
[1.1.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.0.0...v1.1.0 |
44
index.js
@@ -6,3 +6,11 @@ 'use strict'; | ||
var withEach = function(target, cb) { | ||
function isPlainObject(obj) { | ||
if(obj === null || typeof obj !== 'object') { | ||
return false; | ||
} | ||
var proto = Object.getPrototypeOf(obj); | ||
return proto === Object.prototype || proto === null; | ||
} | ||
function withEach(target, cb) { | ||
var act = function(obj) { | ||
@@ -12,8 +20,8 @@ if(Array.isArray(obj)) { | ||
} else if(obj instanceof Object) { | ||
} else if(isPlainObject(obj)) { | ||
Object.keys(obj).forEach(function(key) { | ||
var val = obj[key]; | ||
var shouldRecurse = cb(obj, val, key); | ||
if(shouldRecurse) { | ||
act(obj[key]); | ||
var resp = cb(obj, val, key); | ||
if(resp.shouldRecurse) { | ||
act(obj[resp.key || key]); | ||
} | ||
@@ -25,5 +33,5 @@ }); | ||
act(target); | ||
}; | ||
} | ||
var has = function(target) { | ||
function has(target) { | ||
var hasProhibited = false; | ||
@@ -33,5 +41,5 @@ withEach(target, function(obj, val, key) { | ||
hasProhibited = true; | ||
return false; | ||
return { shouldRecurse: false }; | ||
} else { | ||
return true; | ||
return { shouldRecurse: true }; | ||
} | ||
@@ -41,5 +49,5 @@ }); | ||
return hasProhibited; | ||
}; | ||
} | ||
var sanitize = function(target, options) { | ||
function sanitize(target, options) { | ||
options = options || {}; | ||
@@ -58,3 +66,4 @@ | ||
if(replaceWith) { | ||
obj[key.replace(REPLACE_REGEX, replaceWith)] = val; | ||
key = key.replace(REPLACE_REGEX, replaceWith); | ||
obj[key] = val; | ||
} else { | ||
@@ -65,9 +74,12 @@ shouldRecurse = false; | ||
return shouldRecurse; | ||
return { | ||
shouldRecurse: shouldRecurse, | ||
key: key | ||
}; | ||
}); | ||
return target; | ||
}; | ||
} | ||
var middleware = function(options) { | ||
function middleware(options) { | ||
return function(req, res, next) { | ||
@@ -81,3 +93,3 @@ ['body', 'params', 'query'].forEach(function(k) { | ||
}; | ||
}; | ||
} | ||
@@ -84,0 +96,0 @@ module.exports = middleware; |
{ | ||
"name": "express-mongo-sanitize", | ||
"version": "1.3.0", | ||
"version": "1.3.1", | ||
"description": "Sanitize your express payload to prevent MongoDB operator injection.", | ||
@@ -31,10 +31,8 @@ "main": "index.js", | ||
"devDependencies": { | ||
"body-parser": "^1.14.1", | ||
"express": "^4.13.3", | ||
"mocha": "^2.3.3", | ||
"supertest": "^1.1.0" | ||
}, | ||
"dependencies": { | ||
"chai": "^3.4.1" | ||
"body-parser": "^1.15.2", | ||
"chai": "^3.5.0", | ||
"express": "^4.14.0", | ||
"mocha": "^3.2.0", | ||
"supertest": "^2.0.1" | ||
} | ||
} |
27
test.js
@@ -348,2 +348,29 @@ 'use strict'; | ||
}); | ||
describe('Nested Object inside one with prohibited chars', function() { | ||
it('should sanitize a nested object inside one with prohibited chars in a JSON body', function(done) { | ||
request(app) | ||
.post('/body') | ||
.send({ | ||
username: { | ||
$gt: 'foo', | ||
'dotted.data': { | ||
'more.dotted.data': 'some_data' | ||
} | ||
} | ||
}) | ||
.set('Content-Type', 'application/json') | ||
.set('Accept', 'application/json') | ||
.expect(200, { | ||
body: { | ||
username: { | ||
_gt: 'foo', | ||
dotted_data: { | ||
'more_dotted_data': 'some_data' | ||
} | ||
} | ||
} | ||
}, done); | ||
}); | ||
}); | ||
}); | ||
@@ -350,0 +377,0 @@ |
Sorry, the diff of this file is not supported yet
23123
0
543
5
- Removedchai@^3.4.1
- Removedassertion-error@1.1.0(transitive)
- Removedchai@3.5.0(transitive)
- Removeddeep-eql@0.1.3(transitive)
- Removedtype-detect@0.1.11.0.0(transitive)