express-mongo-sanitize
Advanced tools
Comparing version 2.0.1 to 2.0.2
@@ -5,2 +5,9 @@ # Change Log | ||
| ## [2.0.2] - 2021-01-07 | ||
| ### Fixed | ||
| - Fixed a prototype pollution security vulnerability. #34 | ||
| ### Updated | ||
| - Update dependencies. | ||
| ## [2.0.1] - 2020-12-02 | ||
@@ -48,2 +55,3 @@ ### Updated | ||
| [2.0.2]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.1...v2.0.2 | ||
| [2.0.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.0...v2.0.1 | ||
@@ -50,0 +58,0 @@ [2.0.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.2...v2.0.0 |
@@ -57,3 +57,8 @@ 'use strict'; | ||
| key = key.replace(REPLACE_REGEX, replaceWith); | ||
| obj[key] = val; | ||
| // Avoid to set __proto__ and constructor.prototype | ||
| // https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications | ||
| // https://snyk.io/vuln/SNYK-JS-LODASH-73638 | ||
| if (key !== "__proto__" && key !== "constructor" && key !== "prototype") { | ||
| obj[key] = val; | ||
| } | ||
| } else { | ||
@@ -60,0 +65,0 @@ shouldRecurse = false; |
| { | ||
| "name": "express-mongo-sanitize", | ||
| "version": "2.0.1", | ||
| "version": "2.0.2", | ||
| "description": "Sanitize your express payload to prevent MongoDB operator injection.", | ||
@@ -34,3 +34,3 @@ "main": "index.js", | ||
| "chai": "^4.2.0", | ||
| "eslint": "^7.14.0", | ||
| "eslint": "^7.17.0", | ||
| "express": "^4.17.1", | ||
@@ -37,0 +37,0 @@ "mocha": "^8.2.1", |
93
test.js
@@ -434,2 +434,95 @@ 'use strict'; | ||
| }); | ||
| describe('prototype pollution', function() { | ||
| const createApp = (options) => { | ||
| const app = express(); | ||
| app.use(bodyParser.urlencoded({extended: true})); | ||
| app.use(bodyParser.json()); | ||
| app.use(sanitize(options)); | ||
| app.post('/body', function (req, res) { | ||
| // should not inject valued | ||
| expect(req.body.injected).to.be.undefined; | ||
| res.status(200).json({ | ||
| body: req.body | ||
| }); | ||
| }); | ||
| return app; | ||
| } | ||
| it('should not set __proto__ property', function (done) { | ||
| const app = createApp({ | ||
| replaceWith: "_" | ||
| }); | ||
| request(app) | ||
| .post('/body') | ||
| .send({ | ||
| // replace $ with _ | ||
| $_proto__: { | ||
| injected: "injected value" | ||
| }, | ||
| query: { | ||
| q: 'search' | ||
| } | ||
| }) | ||
| .set('Content-Type', 'application/json') | ||
| .set('Accept', 'application/json') | ||
| .expect(200, { | ||
| body: { | ||
| query: { | ||
| q: 'search' | ||
| } | ||
| } | ||
| }, done); | ||
| }); | ||
| it('should not set constructor property', function (done) { | ||
| const app = createApp({ | ||
| replaceWith: "c" | ||
| }); | ||
| request(app) | ||
| .post('/body') | ||
| .send({ | ||
| // replace $ with c | ||
| $onstructor: { | ||
| injected: "injected value" | ||
| }, | ||
| query: { | ||
| q: 'search' | ||
| } | ||
| }) | ||
| .set('Content-Type', 'application/json') | ||
| .set('Accept', 'application/json') | ||
| .expect(200, { | ||
| body: { | ||
| query: { | ||
| q: 'search' | ||
| } | ||
| } | ||
| }, done); | ||
| }); | ||
| it('should not set prototype property', function (done) { | ||
| const app = createApp({ | ||
| replaceWith: "p" | ||
| }); | ||
| request(app) | ||
| .post('/body') | ||
| .send({ | ||
| // replace $ with empty p | ||
| $rototype: { | ||
| injected: "injected value" | ||
| }, | ||
| query: { | ||
| q: 'search' | ||
| } | ||
| }) | ||
| .set('Content-Type', 'application/json') | ||
| .set('Accept', 'application/json') | ||
| .expect(200, { | ||
| body: { | ||
| query: { | ||
| q: 'search' | ||
| } | ||
| } | ||
| }, done); | ||
| }); | ||
| }); | ||
| }); | ||
@@ -436,0 +529,0 @@ |
No alert changes
Improved metrics
- Total package byte prevSize
- increased by16.95%
29574
- Number of package files
- increased by12.5%
9
- Lines of code
- increased by15.64%
710
No dependency changes