express-mongo-sanitize
Advanced tools
Changelog
[1.3.1] - 2017-01-12
Readme
Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
npm install express-mongo-sanitize
Add as a piece of express middleware, before defining your routes.
var express = require('express'),
bodyParser = require('body-parser'),
mongoSanitize = require('express-mongo-sanitize');
var app = express();
app.use(bodyParser.urlencoded({extended: true}));
app.use(bodyParser.json());
// To remove data, use:
app.use(mongoSanitize());
// Or, to replace prohibited characters with _, use:
app.use(mongoSanitize({
replaceWith: '_'
}))
You can also bypass the middleware and use the module directly:
var mongoSanitize = require('express-mongo-sanitize');
var payload = {...};
// Remove any keys containing prohibited characters
mongoSanitize.sanitize(payload);
// Replace any prohibited characters in keys
mongoSanitize.sanitize(payload, {
replaceWith: '_'
});
// Check if the payload has keys with prohibited characters
var hasProhibited = mongoSanitize.has(payload);
This module searches for any keys in objects that begin with a $ sign or contain a ., from req.body, req.query or req.params. It can then either:
The behaviour is governed by the passed option, replaceWith. Set this option to have the sanitizer replace the prohibited characters with the character passed in.
See the spec file for more examples.
Object keys starting with a $ or containing a . are reserved for use by MongoDB as operators. Without this sanitization, malicious users could send an object containing a $ operator, or including a ., which could change the context of a database operation. Most notorious is the $where operator, which can execute arbitrary JavaScript on the database.
The best way to prevent this is to sanitize the received data, and remove any offending keys, or replace the characters with a 'safe' one.
Inspired by mongo-sanitize.
MIT
FAQs
Sanitize your express payload to prevent MongoDB operator injection.
We found that express-mongo-sanitize demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.
Security News
Socket is joining forces with CISA and other industry leaders at the RSA Conference to sign the Secure by Design pledge, committing to uphold the highest security standards in our products.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.