Socket
Socket
Sign inDemoInstall

express-mongo-sanitize

Package Overview
Dependencies
0
Maintainers
1
Versions
11
Alerts
File Explorer

Advanced tools

npm Scripts

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 1.3.2 to 2.0.0

10

CHANGELOG.md

@@ -5,2 +5,11 @@ # Change Log

## [2.0.0] - 2020-03-25
### Added / Breaking
- Support sanitization of headers. #5
Note that if you weren't previously expecting headers to be sanitized, this is considered a breaking change.
### Breaking
- Drop support for node versions < 10.
## [1.3.2] - 2017-01-12

@@ -31,2 +40,3 @@ ### Fixed

[2.0.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.2...v2.0.0
[1.3.2]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.1...v1.3.2

@@ -33,0 +43,0 @@ [1.3.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.0...v1.3.1

21

index.js
'use strict';
var TEST_REGEX = /^\$|\./,
REPLACE_REGEX = /^\$|\./g;
const TEST_REGEX = /^\$|\./;
const REPLACE_REGEX = /^\$|\./g;

@@ -11,3 +11,3 @@ function isPlainObject(obj) {

function withEach(target, cb) {
var act = function(obj) {
(function act(obj) {
if(Array.isArray(obj)) {

@@ -18,4 +18,4 @@ obj.forEach(act);

Object.keys(obj).forEach(function(key) {
var val = obj[key];
var resp = cb(obj, val, key);
const val = obj[key];
const resp = cb(obj, val, key);
if(resp.shouldRecurse) {

@@ -26,9 +26,8 @@ act(obj[resp.key || key]);

}
};
})(target);
act(target);
}
function has(target) {
var hasProhibited = false;
let hasProhibited = false;
withEach(target, function(obj, val, key) {

@@ -49,3 +48,3 @@ if(TEST_REGEX.test(key)) {

var replaceWith = null;
let replaceWith = null;
if(!(TEST_REGEX.test(options.replaceWith))) {

@@ -56,3 +55,3 @@ replaceWith = options.replaceWith;

withEach(target, function(obj, val, key) {
var shouldRecurse = true;
let shouldRecurse = true;

@@ -80,3 +79,3 @@ if(TEST_REGEX.test(key)) {

return function(req, res, next) {
['body', 'params', 'query'].forEach(function(k) {
['body', 'params', 'headers', 'query'].forEach(function(k) {
if(req[k]) {

@@ -83,0 +82,0 @@ req[k] = sanitize(req[k], options);

14

package.json
{
"name": "express-mongo-sanitize",
"version": "1.3.2",
"version": "2.0.0",
"description": "Sanitize your express payload to prevent MongoDB operator injection.",

@@ -10,3 +10,3 @@ "main": "index.js",

"engines": {
"node": ">=0.10.0"
"node": ">=10"
},

@@ -32,8 +32,8 @@ "repository": {

"devDependencies": {
"body-parser": "^1.15.2",
"chai": "^3.5.0",
"express": "^4.14.0",
"mocha": "^3.2.0",
"supertest": "^2.0.1"
"body-parser": "^1.19.0",
"chai": "^4.2.0",
"express": "^4.17.1",
"mocha": "^7.1.1",
"supertest": "^4.0.2"
}
}

14

README.md

@@ -22,7 +22,7 @@ # Express Mongoose Sanitize

``` js
var express = require('express'),
bodyParser = require('body-parser'),
mongoSanitize = require('express-mongo-sanitize');
const express = require('express');
const bodyParser = require('body-parser');
const mongoSanitize = require('express-mongo-sanitize');
var app = express();
const app = express();

@@ -45,5 +45,5 @@ app.use(bodyParser.urlencoded({extended: true}));

``` js
var mongoSanitize = require('express-mongo-sanitize');
const mongoSanitize = require('express-mongo-sanitize');
var payload = {...};
const payload = {...};

@@ -59,3 +59,3 @@ // Remove any keys containing prohibited characters

// Check if the payload has keys with prohibited characters
var hasProhibited = mongoSanitize.has(payload);
const hasProhibited = mongoSanitize.has(payload);
```

@@ -62,0 +62,0 @@

97

test.js
'use strict';
var request = require('supertest'),
express = require('express'),
bodyParser = require('body-parser'),
expect = require('chai').expect,
sanitize = require('./index.js');
const request = require('supertest');
const express = require('express');
const bodyParser = require('body-parser');
const expect = require('chai').expect;
const sanitize = require('./index.js');
describe('Express Mongo Sanitize', function() {
describe('Remove Data', function() {
var app = express();
const app = express();
app.use(bodyParser.urlencoded({extended: true}));

@@ -18,6 +18,12 @@ app.use(bodyParser.json());

res.status(200).json({
body: req.body
body: req.body,
});
});
app.post('/headers', function (req, res){
res.status(200).json({
headers: req.headers
});
});
app.get('/query', function(req, res){

@@ -65,2 +71,25 @@ res.status(200).json({

it('should sanitize HTTP headers', function(done) {
request(app)
.post('/headers')
.set({
q: 'search',
is: true,
and: 1,
even: null,
$where: 'malicious',
'dotted.data': 'some_data'
})
.expect(200)
.expect(function(res) {
expect(res.body.headers).to.include({
q: 'search',
is: 'true',
and: '1',
even: 'null'
})
})
.end(done);
});
it('should sanitize a form url-encoded body', function(done) {

@@ -170,3 +199,3 @@ request(app)

describe('Preserve Data', function() {
var app = express();
const app = express();
app.use(bodyParser.urlencoded({extended: true}));

@@ -184,2 +213,8 @@ app.use(bodyParser.json());

app.post('/headers', function (req, res){
res.status(200).json({
headers: req.headers
});
});
app.get('/query', function(req, res){

@@ -231,2 +266,26 @@ res.status(200).json({

it('should sanitize HTTP headers', function(done) {
request(app)
.post('/headers')
.set({
q: 'search',
is: true,
and: 1,
even: null,
$where: 'malicious',
'dotted.data': 'some_data'
})
.expect(function(res) {
expect(res.body.headers).to.include({
q: 'search',
is: 'true',
and: '1',
even: 'null',
_where: 'malicious',
dotted_data: 'some_data'
})
})
.end(done);
});
it('should sanitize a form url-encoded body', function(done) {

@@ -384,3 +443,3 @@ request(app)

it('should not allow data to be replaced with a `$`', function(done) {
var app = express();
const app = express();
app.use(bodyParser.urlencoded({extended: true}));

@@ -407,3 +466,3 @@ app.use(sanitize({

it('should not allow data to be replaced with a `.`', function(done) {
var app = express();
const app = express();
app.use(bodyParser.urlencoded({extended: true}));

@@ -432,3 +491,3 @@ app.use(sanitize({

it('should return true if the object has a key beginning with a `$`', function() {
var input = {
const input = {
$prohibited: 'key'

@@ -440,3 +499,3 @@ };

it('should return true if the object has a key containing a `.`', function() {
var input = {
const input = {
'prohibited.key': 'value'

@@ -448,3 +507,3 @@ };

it('should return true if the object has a nested key beginning with a `$`', function() {
var input = {
const input = {
nested: {

@@ -458,3 +517,3 @@ $prohibited: 'key'

it('should return true if the object has a nested key containing a `.`', function() {
var input = {
const input = {
nested: {

@@ -468,3 +527,3 @@ 'prohibited.key': 'value'

it('should return true if the array contains an object with a key beginning with a `$`', function() {
var input = [{
const input = [{
$prohibited: 'key'

@@ -476,3 +535,3 @@ }];

it('should return true if the array contains an object with a key containing a `.`', function() {
var input = [{
const input = [{
'prohibited.key': 'value'

@@ -484,3 +543,3 @@ }];

it('should return true if the payload contains a deeply nested object with a key beginning with a `$`', function() {
var input = [{
const input = [{
some: {

@@ -498,3 +557,3 @@ deeply: [{

it('should return true if the payload contains a deeply nested object with a key containing a `.`', function() {
var input = [{
const input = [{
some: {

@@ -512,3 +571,3 @@ deeply: [{

it('should return false if the payload doesn\'t contain any prohibited characters', function() {
var input = {
const input = {
some: {

@@ -515,0 +574,0 @@ nested: [{

.npmignore
.travis.yml

Sorry, the diff of this file is not supported yet

LICENSE

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc