perfect-express-sanitizer - npm Package Compare versions

Comparing version 1.0.14 to 2.0.0

modules/custom_injection.js

		@@ -0,7 +1,10 @@
		function escapeRegExp(string) {
		return string.replace(/[.*+?^${}()\|[\]\\]/g, '\\$&');
		}
		const removeDangerData = (value, options) =>
		options.forbiddenTags.reduce(
		(acc, item) => acc.replace(new RegExp(item, "ig"), "").trim(),
		(acc, item) => acc.replace(new RegExp(options?.hasFile ? escapeRegExp(item) : item, 'ig'), "").trim(),
		value
		);


		const sanitize = (data, keywords) => {
		@@ -8,0 +11,0 @@ if (typeof data === "string") {

modules/index.js

		@@ -0,1 +1,2 @@
		const fs = require("fs");
		const nosql_injection = require("./nosql_injection");
		@@ -16,2 +17,4 @@ const sql_injection = require("./sql_injection");
		level,
		allowedKeys: [],
		customizeFile
		}
		@@ -23,8 +26,26 @@ ) => {
		}
		if (options.forbiddenTags)
		let forbiddenTags = options.forbiddenTags;
		if(options.customizeFile){
		try {
		const fileData = fs.readFileSync(options.customizeFile, "utf8");
		const jsonData = JSON.parse(fileData);
		if(!Array.isArray(jsonData)){
		console.error("Error invalid structure: file need array of keywords");
		}
		options.forbiddenTags = jsonData.map((wd)=> wd.keyword);
		options.hasFile = true;
		data = custom_sanitize.prepareSanitize(data, options);
		options.forbiddenTags = forbiddenTags;
		} catch (error) {
		console.error("Error reading or parsing customize file:", error);
		}
		}
		if (forbiddenTags){
		options.hasFile = false;
		data = custom_sanitize.prepareSanitize(data, options);
		}
		if (options.xss) data = xss_sanitize.prepareSanitize(data, options);
		if (options.noSql)
		data = nosql_injection.prepareSanitize(data, options.noSqlLevel);
		if (options.sql) data = sql_injection.prepareSanitize(data, options.sqlLevel);
		data = nosql_injection.prepareSanitize(data, options);
		if (options.sql) data = sql_injection.prepareSanitize(data, options);

		@@ -31,0 +52,0 @@ return data;

modules/nosql_injection.js

		@@ -15,2 +15,13 @@ const mongoLimit = require('../data/mongo.js');
		}

		function containsAllowedKey(item, allowedKeys) {
		for (const key of allowedKeys) {
		const regex = new RegExp(key.replace(/\./g, '\\.').replace(/\/g, '.').replace(/%/g, '.*'));
		if (regex.test(item)) {
		return true;
		}
		}
		return false;
		}

		const detectNoSqlInjection = (value, level = 5) => {
		@@ -37,4 +48,10 @@ const limits = mongoLimit.filter((item) => {

		const sanitize = (data, level) => {
		const sanitize = (data, options) => {
		if(!options?.level) options.level = 5;
		const { level } = options;

		if (typeof data === "string") {
		if(options?.allowedKeys?.includes(data)){
		return data;
		}
		return noSQLSanitizer(data, level);
		@@ -56,2 +73,5 @@ }
		const item = data[key];
		if(options?.allowedKeys && containsAllowedKey(item, options.allowedKeys)){
		return data;
		}
		if (typeof item === "string") {
		@@ -71,4 +91,4 @@ data[key] = noSQLSanitizer(item, level);

		const prepareSanitize = (data, level = 5) => {
		return sanitize(data, level);
		const prepareSanitize = (data, options) => {
		return sanitize(data, options);
		};
		@@ -75,0 +95,0 @@ module.exports = {

modules/sql_injection.js

		@@ -16,2 +16,12 @@ const sqlLimits = require("../data/sql.js");

		function containsAllowedKey(item, allowedKeys) {
		for (const key of allowedKeys) {
		const regex = new RegExp(key.replace(/\./g, '\\.').replace(/\/g, '.').replace(/%/g, '.*'));
		if (regex.test(item)) {
		return true;
		}
		}
		return false;
		}

		const detectSqlInjection = (value, level = 5) => {
		@@ -41,7 +51,13 @@ const limits = sqlLimits.filter((item) => {

		const sanitize = (data, level) => {
		const sanitize = (data, options) => {
		if(!options?.level) options.level = 5;
		const { level } = options;

		if (typeof data === "string") {
		if(options?.allowedKeys?.includes(data)){
		return data;
		}
		return hasSqlInjection(data, level);
		}
		if (Array.isArray(data)) {
		if (Array.isArray( )) {
		return data.map((item) => {
		@@ -60,2 +76,5 @@ if (typeof item === "string") {
		const item = data[key];
		if(options?.allowedKeys && containsAllowedKey(item, options.allowedKeys)){
		return data;
		}
		if (typeof item === "string") {
		@@ -75,4 +94,4 @@ data[key] = hasSqlInjection(item, level);

		const prepareSanitize = (data, level = 5) => {
		return sanitize(data, level);
		const prepareSanitize = (data, options) => {
		return sanitize(data, options);
		};
		@@ -82,2 +101,2 @@ module.exports = {
		detectSqlInjection,
		};
		};

modules/xss_sanitize.js

		@@ -17,2 +17,12 @@ "use strict";

		function containsAllowedKey(item, allowedKeys) {
		for (const key of allowedKeys) {
		const regex = new RegExp(key.replace(/\./g, '\\.').replace(/\/g, '.').replace(/%/g, '.*'));
		if (regex.test(item)) {
		return true;
		}
		}
		return false;
		}

		const detectXss = (value) => {
		@@ -32,2 +42,5 @@ try {
		if (typeof data === "string") {
		if(options?.allowedKeys?.includes(data)){
		return data;
		}
		return sanitizeHtml(data, options.sanitizerOptions);
		@@ -51,2 +64,5 @@ }
		}
		if(options?.allowedKeys && containsAllowedKey(data[key], options.allowedKeys)){
		return data[key];
		}
		const item = data[key];
		@@ -53,0 +69,0 @@ if (typeof item === "string") {

package.json

		{
		"name": "perfect-express-sanitizer",
		"version": "1.0.14",
		"version": "2.0.0",
		"description": "a complete package to control user input data to prevent Cross Site Scripting (XSS) ,Sql injection and no Sql injection attack",
		@@ -5,0 +5,0 @@ "main": "index.js",

README.md

		@@ -26,3 +26,3 @@ # Perfect Express Sanitizer

		##### simple usage
		### Basic usage

		@@ -45,3 +45,3 @@ You can use perfect-express-sanitizer in any JavaScript project, not just with Express. Here’s an example of how to use the prepareSanitize method to sanitize a string:

		##### Middleware
		#### Middleware

		@@ -62,6 +62,38 @@ You can also use `perfect-express-sanitizer` as a middleware in an Express app to automatically sanitize all incoming requests. Here’s an example of how to set it up:

		#### Advance Usage
		### Advance Usage

		##### Define Custom keyword to sanitize
		#### Define custom keyword to sanitize

		`customizeFile`, which allows you to define custom keywords to sanitize sensitive data. This is perfect for cases where you want to avoid false positives and ensure that your real data is not wrongly lost.

		#### How to Use `customizeFile`

		To use this feature, simply follow these steps:

		1. Create a JSON file containing your custom keywords like following custom_file.json.
		```json
		[
		{
		"keyword": "deleteCustom"
		},
		{
		"keyword": "dropCustom"
		}
		]
		```
		2. Add the file path as the value for the `customizeFile` option when setting up the middleware.
		Here's an example:
		```javascript
		app.use(
		sanitizer.clean({
		xss: true,
		noSql: true,
		sql: true,
		customizeFile: './custom_file.json'
		})
		);
		```

		#### Define custom keyword and regular expressions to sanitize

		`perfect-express-sanitizer` allows you to define custom keywords to sanitize from sensitive data. You can specify these keywords as strings or regular expressions in the forbiddenTags option when setting up the middleware. Here’s an example of how to define a custom keyword as a string:
		@@ -68,0 +100,0 @@ </br>

perfect-express-sanitizer - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics