express-mongo-sanitize
Advanced tools
Comparing version 1.3.2 to 2.0.0
@@ -5,2 +5,11 @@ # Change Log | ||
## [2.0.0] - 2020-03-25 | ||
### Added / Breaking | ||
- Support sanitization of headers. #5 | ||
Note that if you weren't previously expecting headers to be sanitized, this is considered a breaking change. | ||
### Breaking | ||
- Drop support for node versions < 10. | ||
## [1.3.2] - 2017-01-12 | ||
@@ -31,2 +40,3 @@ ### Fixed | ||
[2.0.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.2...v2.0.0 | ||
[1.3.2]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.1...v1.3.2 | ||
@@ -33,0 +43,0 @@ [1.3.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.0...v1.3.1 |
21
index.js
'use strict'; | ||
var TEST_REGEX = /^\$|\./, | ||
REPLACE_REGEX = /^\$|\./g; | ||
const TEST_REGEX = /^\$|\./; | ||
const REPLACE_REGEX = /^\$|\./g; | ||
@@ -11,3 +11,3 @@ function isPlainObject(obj) { | ||
function withEach(target, cb) { | ||
var act = function(obj) { | ||
(function act(obj) { | ||
if(Array.isArray(obj)) { | ||
@@ -18,4 +18,4 @@ obj.forEach(act); | ||
Object.keys(obj).forEach(function(key) { | ||
var val = obj[key]; | ||
var resp = cb(obj, val, key); | ||
const val = obj[key]; | ||
const resp = cb(obj, val, key); | ||
if(resp.shouldRecurse) { | ||
@@ -26,9 +26,8 @@ act(obj[resp.key || key]); | ||
} | ||
}; | ||
})(target); | ||
act(target); | ||
} | ||
function has(target) { | ||
var hasProhibited = false; | ||
let hasProhibited = false; | ||
withEach(target, function(obj, val, key) { | ||
@@ -49,3 +48,3 @@ if(TEST_REGEX.test(key)) { | ||
var replaceWith = null; | ||
let replaceWith = null; | ||
if(!(TEST_REGEX.test(options.replaceWith))) { | ||
@@ -56,3 +55,3 @@ replaceWith = options.replaceWith; | ||
withEach(target, function(obj, val, key) { | ||
var shouldRecurse = true; | ||
let shouldRecurse = true; | ||
@@ -80,3 +79,3 @@ if(TEST_REGEX.test(key)) { | ||
return function(req, res, next) { | ||
['body', 'params', 'query'].forEach(function(k) { | ||
['body', 'params', 'headers', 'query'].forEach(function(k) { | ||
if(req[k]) { | ||
@@ -83,0 +82,0 @@ req[k] = sanitize(req[k], options); |
{ | ||
"name": "express-mongo-sanitize", | ||
"version": "1.3.2", | ||
"version": "2.0.0", | ||
"description": "Sanitize your express payload to prevent MongoDB operator injection.", | ||
@@ -10,3 +10,3 @@ "main": "index.js", | ||
"engines": { | ||
"node": ">=0.10.0" | ||
"node": ">=10" | ||
}, | ||
@@ -32,8 +32,8 @@ "repository": { | ||
"devDependencies": { | ||
"body-parser": "^1.15.2", | ||
"chai": "^3.5.0", | ||
"express": "^4.14.0", | ||
"mocha": "^3.2.0", | ||
"supertest": "^2.0.1" | ||
"body-parser": "^1.19.0", | ||
"chai": "^4.2.0", | ||
"express": "^4.17.1", | ||
"mocha": "^7.1.1", | ||
"supertest": "^4.0.2" | ||
} | ||
} |
@@ -22,7 +22,7 @@ # Express Mongoose Sanitize | ||
``` js | ||
var express = require('express'), | ||
bodyParser = require('body-parser'), | ||
mongoSanitize = require('express-mongo-sanitize'); | ||
const express = require('express'); | ||
const bodyParser = require('body-parser'); | ||
const mongoSanitize = require('express-mongo-sanitize'); | ||
var app = express(); | ||
const app = express(); | ||
@@ -45,5 +45,5 @@ app.use(bodyParser.urlencoded({extended: true})); | ||
``` js | ||
var mongoSanitize = require('express-mongo-sanitize'); | ||
const mongoSanitize = require('express-mongo-sanitize'); | ||
var payload = {...}; | ||
const payload = {...}; | ||
@@ -59,3 +59,3 @@ // Remove any keys containing prohibited characters | ||
// Check if the payload has keys with prohibited characters | ||
var hasProhibited = mongoSanitize.has(payload); | ||
const hasProhibited = mongoSanitize.has(payload); | ||
``` | ||
@@ -62,0 +62,0 @@ |
97
test.js
'use strict'; | ||
var request = require('supertest'), | ||
express = require('express'), | ||
bodyParser = require('body-parser'), | ||
expect = require('chai').expect, | ||
sanitize = require('./index.js'); | ||
const request = require('supertest'); | ||
const express = require('express'); | ||
const bodyParser = require('body-parser'); | ||
const expect = require('chai').expect; | ||
const sanitize = require('./index.js'); | ||
describe('Express Mongo Sanitize', function() { | ||
describe('Remove Data', function() { | ||
var app = express(); | ||
const app = express(); | ||
app.use(bodyParser.urlencoded({extended: true})); | ||
@@ -18,6 +18,12 @@ app.use(bodyParser.json()); | ||
res.status(200).json({ | ||
body: req.body | ||
body: req.body, | ||
}); | ||
}); | ||
app.post('/headers', function (req, res){ | ||
res.status(200).json({ | ||
headers: req.headers | ||
}); | ||
}); | ||
app.get('/query', function(req, res){ | ||
@@ -65,2 +71,25 @@ res.status(200).json({ | ||
it('should sanitize HTTP headers', function(done) { | ||
request(app) | ||
.post('/headers') | ||
.set({ | ||
q: 'search', | ||
is: true, | ||
and: 1, | ||
even: null, | ||
$where: 'malicious', | ||
'dotted.data': 'some_data' | ||
}) | ||
.expect(200) | ||
.expect(function(res) { | ||
expect(res.body.headers).to.include({ | ||
q: 'search', | ||
is: 'true', | ||
and: '1', | ||
even: 'null' | ||
}) | ||
}) | ||
.end(done); | ||
}); | ||
it('should sanitize a form url-encoded body', function(done) { | ||
@@ -170,3 +199,3 @@ request(app) | ||
describe('Preserve Data', function() { | ||
var app = express(); | ||
const app = express(); | ||
app.use(bodyParser.urlencoded({extended: true})); | ||
@@ -184,2 +213,8 @@ app.use(bodyParser.json()); | ||
app.post('/headers', function (req, res){ | ||
res.status(200).json({ | ||
headers: req.headers | ||
}); | ||
}); | ||
app.get('/query', function(req, res){ | ||
@@ -231,2 +266,26 @@ res.status(200).json({ | ||
it('should sanitize HTTP headers', function(done) { | ||
request(app) | ||
.post('/headers') | ||
.set({ | ||
q: 'search', | ||
is: true, | ||
and: 1, | ||
even: null, | ||
$where: 'malicious', | ||
'dotted.data': 'some_data' | ||
}) | ||
.expect(function(res) { | ||
expect(res.body.headers).to.include({ | ||
q: 'search', | ||
is: 'true', | ||
and: '1', | ||
even: 'null', | ||
_where: 'malicious', | ||
dotted_data: 'some_data' | ||
}) | ||
}) | ||
.end(done); | ||
}); | ||
it('should sanitize a form url-encoded body', function(done) { | ||
@@ -384,3 +443,3 @@ request(app) | ||
it('should not allow data to be replaced with a `$`', function(done) { | ||
var app = express(); | ||
const app = express(); | ||
app.use(bodyParser.urlencoded({extended: true})); | ||
@@ -407,3 +466,3 @@ app.use(sanitize({ | ||
it('should not allow data to be replaced with a `.`', function(done) { | ||
var app = express(); | ||
const app = express(); | ||
app.use(bodyParser.urlencoded({extended: true})); | ||
@@ -432,3 +491,3 @@ app.use(sanitize({ | ||
it('should return true if the object has a key beginning with a `$`', function() { | ||
var input = { | ||
const input = { | ||
$prohibited: 'key' | ||
@@ -440,3 +499,3 @@ }; | ||
it('should return true if the object has a key containing a `.`', function() { | ||
var input = { | ||
const input = { | ||
'prohibited.key': 'value' | ||
@@ -448,3 +507,3 @@ }; | ||
it('should return true if the object has a nested key beginning with a `$`', function() { | ||
var input = { | ||
const input = { | ||
nested: { | ||
@@ -458,3 +517,3 @@ $prohibited: 'key' | ||
it('should return true if the object has a nested key containing a `.`', function() { | ||
var input = { | ||
const input = { | ||
nested: { | ||
@@ -468,3 +527,3 @@ 'prohibited.key': 'value' | ||
it('should return true if the array contains an object with a key beginning with a `$`', function() { | ||
var input = [{ | ||
const input = [{ | ||
$prohibited: 'key' | ||
@@ -476,3 +535,3 @@ }]; | ||
it('should return true if the array contains an object with a key containing a `.`', function() { | ||
var input = [{ | ||
const input = [{ | ||
'prohibited.key': 'value' | ||
@@ -484,3 +543,3 @@ }]; | ||
it('should return true if the payload contains a deeply nested object with a key beginning with a `$`', function() { | ||
var input = [{ | ||
const input = [{ | ||
some: { | ||
@@ -498,3 +557,3 @@ deeply: [{ | ||
it('should return true if the payload contains a deeply nested object with a key containing a `.`', function() { | ||
var input = [{ | ||
const input = [{ | ||
some: { | ||
@@ -512,3 +571,3 @@ deeply: [{ | ||
it('should return false if the payload doesn\'t contain any prohibited characters', function() { | ||
var input = { | ||
const input = { | ||
some: { | ||
@@ -515,0 +574,0 @@ nested: [{ |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
24392
593
8