UNPKG

@exortek/express-mongo-sanitize

Version:

Express middleware for NoSQL injection prevention — sanitizes request data

github.com/ExorTek/nosql-sanitize/tree/master/packages/express

ExorTek/nosql-sanitize

99 lines (72 loc) 2.84 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# @exortek/express-mongo-sanitize <p align="center"> <img src="https://img.shields.io/npm/v/@exortek/express-mongo-sanitize?style=flat-square&color=339933" alt="npm version"> <img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="license"> </p> Express middleware for NoSQL injection prevention. Sanitizes request `body`, `query`, and `params` to protect MongoDB queries from operator injection attacks. ## 📦 Installation ```bash npm install @exortek/express-mongo-sanitize ``` ```bash yarn install @exortek/express-mongo-sanitize ``` ```bash pnpm install @exortek/express-mongo-sanitize ``` ## ⚡ Quick Start ```js const express = require('express'); const mongoSanitize = require('@exortek/express-mongo-sanitize'); const app = express(); app.use(express.json()); app.use(mongoSanitize()); app.post('/login', (req, res) => { // req.body is sanitized — { "$ne": "" } becomes { "ne": "" } res.json(req.body); }); ``` ## ⚙️ Options ```js app.use(mongoSanitize({ replaceWith: '', // Replace matched chars with this string removeMatches: false, // Remove entire key-value pair if pattern matches sanitizeObjects: ['body', 'query'], // Request fields to sanitize contentTypes: ['application/json', 'application/x-www-form-urlencoded'], mode: 'auto', // 'auto' | 'manual' skipRoutes: [], // Routes to skip (string or RegExp) recursive: true, // Sanitize nested objects maxDepth: null, // Max recursion depth (null = unlimited) onSanitize: ({ key, originalValue, sanitizedValue }) => { console.log(`Sanitized ${key}`); } })); ``` > For the full list of options, see the [Core README](../core/README.md#configuration-options). ## 🛠 Features ### Route Parameter Sanitization While `body` and `query` are sanitized automatically, route parameters can be sanitized using the `paramSanitizeHandler`: ```js const { paramSanitizeHandler } = require('@exortek/express-mongo-sanitize'); app.param('username', paramSanitizeHandler()); app.get('/user/:username', (req, res) => { // GET /user/$admin → req.params.username is "admin" res.json({ username: req.params.username }); }); ``` ### Manual Mode If you need fine-grained control over when sanitization occurs: ```js app.use(mongoSanitize({ mode: 'manual' })); app.post('/sensitive', (req, res) => { req.sanitize(); // Manually trigger sanitization res.json(req.body); }); ``` ### Content-Type Guard By default, only `application/json` and `application/x-www-form-urlencoded` bodies are sanitized to avoid corrupting binary data or file uploads. You can customize this: ```js app.use(mongoSanitize({ contentTypes: ['application/json', 'application/graphql'] })); ``` ## 📜 License [MIT](../../LICENSE) — Created by **ExorTek**