express-mongo-sanitize - npm Package Compare versions

Comparing version 2.1.0 to 2.2.0

index.d.ts

@@ -8,2 +8,3 @@ import { Request, Response, Handler } from 'express';
     dryRun?: boolean;
+    allowDots?: boolean;
   }
@@ -31,3 +32,6 @@ }
    */
-  has(target: Record<string, unknown> | unknown[]): boolean;
+  has(
+    target: Record<string, unknown> | unknown[],
+    allowDots?: boolean,
+  ): boolean;
 };
@@ -34,0 +38,0 @@

index.js

 'use strict';
 
 const TEST_REGEX = /^\$|\./;
+const TEST_REGEX_WITHOUT_DOT = /^\$/;
 const REPLACE_REGEX = /^\$|\./g;
@@ -10,2 +11,6 @@
 
+function getTestRegex(allowDots) {
+  return allowDots ? TEST_REGEX_WITHOUT_DOT : TEST_REGEX;
+}
+
 function withEach(target, cb) {
@@ -27,6 +32,8 @@ (function act(obj) {
 
-function has(target) {
+function has(target, allowDots) {
+  const regex = getTestRegex(allowDots);
+
   let hasProhibited = false;
   withEach(target, function (obj, val, key) {
-    if (TEST_REGEX.test(key)) {
+    if (regex.test(key)) {
       hasProhibited = true;
@@ -43,6 +50,8 @@ return { shouldRecurse: false };
 function _sanitize(target, options) {
+  const regex = getTestRegex(options.allowDots);
+
   let isSanitized = false;
   let replaceWith = null;
-  let dryRun = Boolean(options.dryRun);
-  if (!TEST_REGEX.test(options.replaceWith)) {
+  const dryRun = Boolean(options.dryRun);
+  if (!regex.test(options.replaceWith) && options.replaceWith !== '.') {
     replaceWith = options.replaceWith;
@@ -54,3 +63,3 @@ }
 
-    if (TEST_REGEX.test(key)) {
+    if (regex.test(key)) {
       isSanitized = true;
@@ -94,3 +103,3 @@ // if dryRun is enabled, do not modify the target
 
-function sanitize(target, options) {
+function sanitize(target, options = {}) {
   return _sanitize(target, options).target;
@@ -97,0 +106,0 @@ }

package.json

 {
   "name": "express-mongo-sanitize",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Sanitize your express payload to prevent MongoDB operator injection.",
@@ -39,12 +39,12 @@ "main": "index.js",
   "devDependencies": {
-    "@types/express": "^4.17.11",
-    "body-parser": "^1.19.0",
+    "@types/express": "^4.17.13",
+    "body-parser": "^1.19.1",
     "chai": "^4.3.4",
-    "eslint": "^7.26.0",
-    "express": "^4.17.1",
-    "mocha": "^8.4.0",
-    "prettier": "^2.3.0",
-    "supertest": "^6.1.3",
-    "tsd": "^0.15.1"
+    "eslint": "^8.6.0",
+    "express": "^4.17.2",
+    "mocha": "^9.1.3",
+    "prettier": "^2.5.1",
+    "supertest": "^6.2.1",
+    "tsd": "^0.19.1"
   }
 }

README.md

@@ -8,5 +8,23 @@ # Express Mongoose Sanitize
 [![npm downloads per week](https://img.shields.io/npm/dw/express-mongo-sanitize?color=blue)](https://img.shields.io/npm/dw/express-mongo-sanitize?color=blue)
-[![Dependency Status](https://david-dm.org/fiznool/express-mongo-sanitize.svg)](https://david-dm.org/fiznool/express-mongo-sanitize)
-[![devDependency Status](https://david-dm.org/fiznool/express-mongo-sanitize/dev-status.svg)](https://david-dm.org/fiznool/express-mongo-sanitize#info=devDependencies)
+[![Dependency Status](https://img.shields.io/librariesio/release/npm/express-mongo-sanitize)](https://img.shields.io/librariesio/release/npm/express-mongo-sanitize)
 
+## What is this module for?
+
+This module searches for any keys in objects that begin with a `$` sign or contain a `.`, from `req.body`, `req.query` or `req.params`. It can then either:
+
+- completely remove these keys and associated data from the object, or
+- replace the prohibited characters with another allowed character.
+
+The behaviour is governed by the passed option, `replaceWith`. Set this option to have the sanitizer replace the prohibited characters with the character passed in.
+
+The config option `allowDots` can be used to allow dots in the user-supplied data. In this case, only instances of `$` will be sanitized.
+
+See the spec file for more examples.
+
+## Why is it needed?
+
+Object keys starting with a `$` or containing a `.` are _reserved_ for use by MongoDB as operators. Without this sanitization, malicious users could send an object containing a `$` operator, or including a `.`, which could change the context of a database operation. Most notorious is the `$where` operator, which can execute arbitrary JavaScript on the database.
+
+The best way to prevent this is to sanitize the received data, and remove any offending keys, or replace the characters with a 'safe' one.
+
 ## Installation
@@ -32,6 +50,12 @@
 
-// To remove data, use:
+// By default, $ and . characters are removed completely from user-supplied input in the following places:
+// - req.body
+// - req.params
+// - req.headers
+// - req.query
+
+// To remove data using these defaults:
 app.use(mongoSanitize());
 
-// Or, to replace prohibited characters with _, use:
+// Or, to replace these prohibited characters with _, use:
 app.use(
@@ -42,2 +66,20 @@ mongoSanitize({
 );
+
+// Or, to sanitize data that only contains $, without .(dot)
+// Can be useful for letting data pass that is meant for querying nested documents.
+// NOTE: This may cause some problems on older versions of MongoDb
+// READ MORE: https://github.com/fiznool/express-mongo-sanitize/issues/36
+app.use(
+  mongoSanitize({
+    allowDots: true,
+  }),
+);
+
+// Both allowDots and replaceWith
+app.use(
+  mongoSanitize({
+    allowDots: true,
+    replaceWith: '_',
+  }),
+);
 ```
@@ -91,23 +133,23 @@
 
+// Exclude sanitization of . (dot), only sanitize data that contains $.
+// NOTE: This may cause some problems on older versions of MongoDb
+// READ MORE: https://github.com/fiznool/express-mongo-sanitize/issues/36
+mongoSanitize.sanitize(payload, {
+  allowDots: true
+});
+
+// Both allowDots and replaceWith
+mongoSanitize.sanitize(payload, {
+  allowDots: true,
+  replaceWith: '_'
+});
+
 // Check if the payload has keys with prohibited characters
 const hasProhibited = mongoSanitize.has(payload);
+
+// Check if the payload has keys with prohibited characters (`.` is excluded).
+// If the payload only has `.` it will return false (since it doesn't see the data with `.` as malicious)
+const hasProhibited = mongoSanitize.has(payload, true);
 ```
 
-## What?
-
-This module searches for any keys in objects that begin with a `$` sign or contain a `.`, from `req.body`, `req.query` or `req.params`. It can then either:
-
-- completely remove these keys and associated data from the object, or
-- replace the prohibited characters with another allowed character.
-
-The behaviour is governed by the passed option, `replaceWith`. Set this option to have the sanitizer replace the prohibited characters with the character passed in.
-
-See the spec file for more examples.
-
-## Why?
-
-Object keys starting with a `$` or containing a `.` are _reserved_ for use by MongoDB as operators. Without this sanitization, malicious users could send an object containing a `$` operator, or including a `.`, which could change the context of a database operation. Most notorious is the `$where` operator, which can execute arbitrary JavaScript on the database.
-
-The best way to prevent this is to sanitize the received data, and remove any offending keys, or replace the characters with a 'safe' one.
-
 ## Contributing
@@ -114,0 +156,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Lines of code

149

increased by7.19%

Number of lines in readme file

162

increased by35%

Number of medium supply chain risk alerts

0

decreased by-100%

Worsened metrics

Total package byte prevSize

11373

decreased by-8.87%

Number of package files

5

decreased by-16.67%

No dependency changes