express-mongo-sanitize
Advanced tools
Changelog
[1.1.0] - 2016-01-13
.. This is in line with Mongo's reserved operators.Readme
Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
npm install express-mongo-sanitize
Add as a piece of express middleware, before defining your routes.
var express = require('express'),
bodyParser = require('body-parser'),
mongoSanitize = require('express-mongo-sanitize');
var app = express();
app.use(bodyParser.urlencoded({extended: true}));
app.use(bodyParser.json());
app.use(mongoSanitize());
This module removes any keys in objects that begin with a $ sign from req.body, req.query or req.params.
Object keys starting with a $ are reserved for use by MongoDB as operators. Without this sanitization, malicious users could send an object containing a $ operator, which could change the context of a database operation. Most notorious is the $where operator, which can execute arbitrary JavaScript on the database.
The best way to prevent this is to sanitize the received data, and remove any offending keys.
Inspired by mongo-sanitize.
MIT
FAQs
Sanitize your express payload to prevent MongoDB operator injection.
We found that express-mongo-sanitize demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.
Security News
Socket is joining forces with CISA and other industry leaders at the RSA Conference to sign the Secure by Design pledge, committing to uphold the highest security standards in our products.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.