express-mongo-sanitize
Advanced tools
Comparing version 2.0.1 to 2.0.2
@@ -5,2 +5,9 @@ # Change Log | ||
## [2.0.2] - 2021-01-07 | ||
### Fixed | ||
- Fixed a prototype pollution security vulnerability. #34 | ||
### Updated | ||
- Update dependencies. | ||
## [2.0.1] - 2020-12-02 | ||
@@ -48,2 +55,3 @@ ### Updated | ||
[2.0.2]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.1...v2.0.2 | ||
[2.0.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.0...v2.0.1 | ||
@@ -50,0 +58,0 @@ [2.0.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.2...v2.0.0 |
@@ -57,3 +57,8 @@ 'use strict'; | ||
key = key.replace(REPLACE_REGEX, replaceWith); | ||
obj[key] = val; | ||
// Avoid to set __proto__ and constructor.prototype | ||
// https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications | ||
// https://snyk.io/vuln/SNYK-JS-LODASH-73638 | ||
if (key !== "__proto__" && key !== "constructor" && key !== "prototype") { | ||
obj[key] = val; | ||
} | ||
} else { | ||
@@ -60,0 +65,0 @@ shouldRecurse = false; |
{ | ||
"name": "express-mongo-sanitize", | ||
"version": "2.0.1", | ||
"version": "2.0.2", | ||
"description": "Sanitize your express payload to prevent MongoDB operator injection.", | ||
@@ -34,3 +34,3 @@ "main": "index.js", | ||
"chai": "^4.2.0", | ||
"eslint": "^7.14.0", | ||
"eslint": "^7.17.0", | ||
"express": "^4.17.1", | ||
@@ -37,0 +37,0 @@ "mocha": "^8.2.1", |
93
test.js
@@ -434,2 +434,95 @@ 'use strict'; | ||
}); | ||
describe('prototype pollution', function() { | ||
const createApp = (options) => { | ||
const app = express(); | ||
app.use(bodyParser.urlencoded({extended: true})); | ||
app.use(bodyParser.json()); | ||
app.use(sanitize(options)); | ||
app.post('/body', function (req, res) { | ||
// should not inject valued | ||
expect(req.body.injected).to.be.undefined; | ||
res.status(200).json({ | ||
body: req.body | ||
}); | ||
}); | ||
return app; | ||
} | ||
it('should not set __proto__ property', function (done) { | ||
const app = createApp({ | ||
replaceWith: "_" | ||
}); | ||
request(app) | ||
.post('/body') | ||
.send({ | ||
// replace $ with _ | ||
$_proto__: { | ||
injected: "injected value" | ||
}, | ||
query: { | ||
q: 'search' | ||
} | ||
}) | ||
.set('Content-Type', 'application/json') | ||
.set('Accept', 'application/json') | ||
.expect(200, { | ||
body: { | ||
query: { | ||
q: 'search' | ||
} | ||
} | ||
}, done); | ||
}); | ||
it('should not set constructor property', function (done) { | ||
const app = createApp({ | ||
replaceWith: "c" | ||
}); | ||
request(app) | ||
.post('/body') | ||
.send({ | ||
// replace $ with c | ||
$onstructor: { | ||
injected: "injected value" | ||
}, | ||
query: { | ||
q: 'search' | ||
} | ||
}) | ||
.set('Content-Type', 'application/json') | ||
.set('Accept', 'application/json') | ||
.expect(200, { | ||
body: { | ||
query: { | ||
q: 'search' | ||
} | ||
} | ||
}, done); | ||
}); | ||
it('should not set prototype property', function (done) { | ||
const app = createApp({ | ||
replaceWith: "p" | ||
}); | ||
request(app) | ||
.post('/body') | ||
.send({ | ||
// replace $ with empty p | ||
$rototype: { | ||
injected: "injected value" | ||
}, | ||
query: { | ||
q: 'search' | ||
} | ||
}) | ||
.set('Content-Type', 'application/json') | ||
.set('Accept', 'application/json') | ||
.expect(200, { | ||
body: { | ||
query: { | ||
q: 'search' | ||
} | ||
} | ||
}, done); | ||
}); | ||
}); | ||
}); | ||
@@ -436,0 +529,0 @@ |
29574
9
710