mongo-sanitizer
Version:
An Express.js middleware to prevent NoSQL injection attacks by sanitizing req.body, req.query, and req.params. Supports custom replacement and dot notation handling
165 lines • 8.99 kB
JavaScript
;
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.has = exports.sanitize = void 0;
const qs = __importStar(require("qs"));
const sanitize_utils_1 = require("./sanitize-utils");
Object.defineProperty(exports, "sanitize", { enumerable: true, get: function () { return sanitize_utils_1.sanitize; } });
Object.defineProperty(exports, "has", { enumerable: true, get: function () { return sanitize_utils_1.has; } });
/**
* Express middleware'i, gelen isteğin (req.body, req.query, req.params, req.headers) NoSQL enjeksiyon saldırılarına karşı temizlenmesini sağlar.
* Orijinal istek objesini değiştirmek yerine, bu özelliklerin temizlenmiş (sanitized) versiyonlarını req.sanitizedBody, req.sanitizedQuery vb. gibi yeni özelliklere atar.
* Güvenli veri erişimi için geliştiricilerin KESİNLİKLE 'sanitized' önekli özellikleri kullanması gerekir.
* ÖNEMLİ: `req.params`'ın güvenilir bir şekilde temizlenebilmesi için, `mongoSanitizer()` middleware'i, ilgili rota tanımında (örneğin: `app.get('/path/:id', mongoSanitizer(), (req, res) => { ... })` veya `router.get('/path/:id', mongoSanitizer(), (req, res) => { ... })`) parametreleri kullanan rota işleyicisinden hemen önce yerleştirilmelidir.
* @param options - Middleware seçenekleri.
* @returns Express middleware fonksiyonu.
*/
/**
* Express middleware to prevent NoSQL injection attacks by sanitizing req.body, req.query, req.params, and req.headers of the incoming request.
* Instead of modifying the original request object, it assigns the sanitized versions of these properties to new properties like req.sanitizedBody, req.sanitizedQuery, etc.
* Developers MUST use the 'sanitized' prefixed properties for secure data access.
* IMPORTANT: For `req.params` to be reliably sanitized, the `mongoSanitizer()` middleware should be placed directly before the route handler within its specific route definition (e.g., `app.get('/path/:id', mongoSanitizer(), (req, res) => { ... })` or `router.get('/path/:id', mongoSanitizer(), (req, res) => { ... })`).
* @param options - Middleware options.
* @returns Express middleware function.
*/
/**
* Express-Middleware zur Verhinderung von NoSQL-Injection-Angriffen durch Bereinigung von req.body, req.query, req.params und req.headers der eingehenden Anfrage.
* Anstatt das ursprüngliche Anfrageobjekt zu ändern, weist es die bereinigten Versionen dieser Eigenschaften neuen Eigenschaften wie req.sanitizedBody, req.sanitizedQuery usw. zu.
* Entwickler MÜSSEN die mit 'sanitized' präfixierten Eigenschaften für einen sicheren Datenzugriff verwenden.
* WICHTIG: Damit `req.params` zuverlässig bereinigt werden kann, sollte die `mongoSanitizer()`-Middleware direkt vor dem Routen-Handler innerhalb seiner spezifischen Routendefinition platziert werden (z. B. `app.get('/path/:id', mongoSanitizer(), (req, res) => { ... })` oder `router.get('/path/:id', mongoSanitizer(), (req, res) => { ... })`).
* @param options - Middleware-Optionen.
* @returns Express-Middleware-Funktion.
*/
function expressSanitize(options = {}) {
const hasOnSanitize = typeof options.onSanitize === 'function';
const fieldsToSanitize = options.fields || [
'body',
'params',
'query',
'headers',
];
return function (req, res, next) {
// Güvenli erişim sağlamak ve TypeScript hatalarını önlemek için temizlenmiş alanları başlatır.
// Initializes sanitized fields to ensure safe access and prevent TypeScript errors.
// Initialisiert bereinigte Felder für sicheren Zugriff und zur Vermeidung von TypeScript-Fehlern.
if (!req.sanitizedBody) {
req.sanitizedBody = {};
}
if (!req.sanitizedQuery) {
req.sanitizedQuery = {};
}
if (!req.sanitizedParams) {
req.sanitizedParams = {};
}
if (!req.sanitizedHeaders) {
req.sanitizedHeaders = {};
}
// Query
if (fieldsToSanitize.includes('query') && req.url) {
const queryStringIndex = req.url.indexOf('?');
if (queryStringIndex !== -1) {
const rawQueryString = req.url.substring(queryStringIndex + 1);
const parsedQuery = qs.parse(rawQueryString, {
allowDots: options.allowDots,
allowPrototypes: false,
});
const { isSanitized, target: sanitizedQuery } = (0, sanitize_utils_1._sanitize)(parsedQuery, options);
req.sanitizedQuery = sanitizedQuery;
if (isSanitized && hasOnSanitize) {
options.onSanitize({ req, key: 'query' });
}
}
}
// Params
if (fieldsToSanitize.includes('params') &&
req.params &&
Object.keys(req.params).length > 0) {
const tempParams = {};
let paramsFound = false;
// Express'in req.params objesinin özel yapısından dolayı, anahtarları güvenli bir şekilde kopyalar.
// Safely copies keys from Express's req.params object due to its unique structure.
// Kopiert Schlüssel sicher vom req.params-Objekt von Express aufgrund seiner einzigartigen Struktur.
for (const key in req.params) {
if (Object.prototype.hasOwnProperty.call(req.params, key)) {
tempParams[key] = req.params[key];
paramsFound = true;
}
}
if (!paramsFound) {
// params objesinde anahtar bulunamazsa yedek olarak Object.getOwnPropertyNames() kullanılır.
// Uses Object.getOwnPropertyNames() as a fallback if no keys are found in the params object.
// Verwendet Object.getOwnPropertyNames() als Fallback, falls keine Schlüssel im params-Objekt gefunden werden.
const ownPropertyNames = Object.getOwnPropertyNames(req.params);
if (ownPropertyNames.length > 0) {
ownPropertyNames.forEach((key) => {
tempParams[key] = req.params[key];
paramsFound = true;
});
}
}
if (paramsFound) {
const { isSanitized, target: sanitizedParams } = (0, sanitize_utils_1._sanitize)(tempParams, options);
req.sanitizedParams = sanitizedParams;
if (isSanitized && hasOnSanitize) {
options.onSanitize({ req, key: 'params' });
}
}
}
// Body
if (fieldsToSanitize.includes('body') &&
req.body &&
typeof req.body === 'object') {
const { isSanitized, target: sanitizedBody } = (0, sanitize_utils_1._sanitize)(req.body, options);
req.sanitizedBody = sanitizedBody;
if (isSanitized && hasOnSanitize) {
options.onSanitize({ req, key: 'body' });
}
}
// Headers
if (fieldsToSanitize.includes('headers') &&
req.headers &&
typeof req.headers === 'object') {
const { isSanitized, target: sanitizedHeaders } = (0, sanitize_utils_1._sanitize)(req.headers, options);
req.sanitizedHeaders = sanitizedHeaders;
if (isSanitized && hasOnSanitize) {
options.onSanitize({ req, key: 'headers' });
}
}
next();
};
}
const sanitizer = expressSanitize;
exports.default = sanitizer;
//# sourceMappingURL=index.js.map