Sanitize your express payload to prevent MongoDB operator injection. 

fiznool

express-mongo-sanitize

All notable changes to this project will be documented in this file.

This project adheres to [Semantic Versioning](http://semver.org/).

- Update dependencies and test against node 14.

- Use ESLint instead of JSHint for code linting.

- Use GitHub Actions for CI instead of Travis.

Note that if you weren't previously expecting headers to be sanitized, this is considered a breaking change.

- Fixed an issue when using the sanitizer in the node REPL. #3

- Fixed an issue with objects containing prohibited keys nested inside other objects with prohibited keys. #2

- Added a more robust check for plain objects.

- A new function `has`, which checks whether a passed object/array contains any keys with prohibited characters.

- A new option `replaceWith` which can be used to replace offending characters in a key. This is an alternative to removing the data from the payload.

- The middleware also now sanitizes keys with a `.`. This is in line with Mongo's reserved operators.

[2.0.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.0...v2.0.1

[2.0.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.2...v2.0.0

[1.3.2]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.1...v1.3.2

[1.3.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.0...v1.3.1

[1.3.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.2.0...v1.3.0

[1.2.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.1.0...v1.2.0

[1.1.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.0.0...v1.1.0

  "description": "Sanitize your express payload to prevent MongoDB operator injection.",

    "test": "./node_modules/mocha/bin/mocha test.js"

    "url": "git+https://github.com/fiznool/express-mongo-sanitize.git"

  "author": "Tom Spencer <fiznool@gmail.com>",

    "url": "https://github.com/fiznool/express-mongo-sanitize/issues"

  "homepage": "https://github.com/fiznool/express-mongo-sanitize#readme",

Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.

[![Build Status](https://travis-ci.org/fiznool/express-mongo-sanitize.svg?branch=master)](https://travis-ci.org/fiznool/express-mongo-sanitize)

[![npm version](https://badge.fury.io/js/express-mongo-sanitize.svg)](http://badge.fury.io/js/express-mongo-sanitize)

[![Build Status](https://github.com/fiznool/express-mongo-sanitize/workflows/Node.js%20CI/badge.svg)](https://github.com/fiznool/express-mongo-sanitize/workflows/Node.js%20CI/badge.svg)

[![npm version](https://img.shields.io/npm/v/express-mongo-sanitize)](https://img.shields.io/npm/v/express-mongo-sanitize)

[![npm downloads per week](https://img.shields.io/npm/dw/express-mongo-sanitize?color=blue)](https://img.shields.io/npm/dw/express-mongo-sanitize?color=blue)

[![Dependency Status](https://david-dm.org/fiznool/express-mongo-sanitize.svg)](https://david-dm.org/fiznool/express-mongo-sanitize)

[![devDependency Status](https://david-dm.org/fiznool/express-mongo-sanitize/dev-status.svg)](https://david-dm.org/fiznool/express-mongo-sanitize#info=devDependencies)

Add as a piece of express middleware, before defining your routes.

const bodyParser = require('body-parser');

const mongoSanitize = require('express-mongo-sanitize');

app.use(bodyParser.urlencoded({extended: true}));

// Or, to replace prohibited characters with _, use:

You can also bypass the middleware and use the module directly:

// Remove any keys containing prohibited characters

// Replace any prohibited characters in keys

// Check if the payload has keys with prohibited characters

const hasProhibited = mongoSanitize.has(payload);

This module searches for any keys in objects that begin with a `$` sign or contain a `.`, from `req.body`, `req.query` or `req.params`. It can then either:

- completely remove these keys and associated data from the object, or

- replace the prohibited characters with another allowed character.

The behaviour is governed by the passed option, `replaceWith`. Set this option to have the sanitizer replace the prohibited characters with the character passed in.

Object keys starting with a `$` or containing a `.` are _reserved_ for use by MongoDB as operators. Without this sanitization,  malicious users could send an object containing a `$` operator, or including a `.`, which could change the context of a database operation. Most notorious is the `$where` operator, which can execute arbitrary JavaScript on the database.

The best way to prevent this is to sanitize the received data, and remove any offending keys, or replace the characters with a 'safe' one.

Inspired by [mongo-sanitize](https://github.com/vkarpov15/mongo-sanitize).

		@@ -5,2 +5,10 @@ # Change Log

		## [2.0.1] - 2020-12-02
		### Updated
		- Update dependencies and test against node 14.

		### Changed
		- Use ESLint instead of JSHint for code linting.
		- Use GitHub Actions for CI instead of Travis.

		## [2.0.0] - 2020-03-25
		@@ -40,2 +48,3 @@ ### Added / Breaking

		[2.0.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.0...v2.0.1
		[2.0.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.2...v2.0.0
		@@ -42,0 +51,0 @@ [1.3.2]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.1...v1.3.2

		{
		"name": "express-mongo-sanitize",
		"version": "2.0.0",
		"version": "2.0.1",
		"description": "Sanitize your express payload to prevent MongoDB operator injection.",
		"main": "index.js",
		"scripts": {
		"test": "./node_modules/mocha/bin/mocha test.js"
		"lint": "eslint \"*/.js\" --fix",
		"test": "mocha test.js"
		},
		@@ -33,6 +34,8 @@ "engines": {
		"chai": "^4.2.0",
		"eslint": "^7.14.0",
		"express": "^4.17.1",
		"mocha": "^7.1.1",
		"supertest": "^4.0.2"
		}
		"mocha": "^8.2.1",
		"supertest": "^6.0.1"
		},
		"dependencies": {}
		}

Improved metrics

Worsened metrics

		@@ -5,4 +5,5 @@ # Express Mongoose Sanitize

		[![Build Status](https://travis-ci.org/fiznool/express-mongo-sanitize.svg?branch=master)](https://travis-ci.org/fiznool/express-mongo-sanitize)
		[![npm version](https://badge.fury.io/js/express-mongo-sanitize.svg)](http://badge.fury.io/js/express-mongo-sanitize)
		[![Build Status](https://github.com/fiznool/express-mongo-sanitize/workflows/Node.js%20CI/badge.svg)](https://github.com/fiznool/express-mongo-sanitize/workflows/Node.js%20CI/badge.svg)
		[![npm version](https://img.shields.io/npm/v/express-mongo-sanitize)](https://img.shields.io/npm/v/express-mongo-sanitize)
		[![npm downloads per week](https://img.shields.io/npm/dw/express-mongo-sanitize?color=blue)](https://img.shields.io/npm/dw/express-mongo-sanitize?color=blue)
		[![Dependency Status](https://david-dm.org/fiznool/express-mongo-sanitize.svg)](https://david-dm.org/fiznool/express-mongo-sanitize)
		@@ -9,0 +10,0 @@ [![devDependency Status](https://david-dm.org/fiznool/express-mongo-sanitize/dev-status.svg)](https://david-dm.org/fiznool/express-mongo-sanitize#info=devDependencies)