UNPKG

perfect-express-sanitizer

Version:

a complete package to control user input data to prevent Cross Site Scripting (XSS) ,Sql injection and no Sql injection attack

github.com/pariazar/perfect-express-sanitizer

pariazar/perfect-express-sanitizer

100 lines (93 loc) 2.76 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
const mongoLimit = require('../data/mongo.js'); function noSQLSanitizer(input, level) { const limits = mongoLimit.filter((item) => { if (item.level <= level) { return item.keyword } }); const keywords = limits.map((item) => item.keyword); keywords.forEach((keyword) => { input = input.replace(keyword, ''); }); return input; } function containsAllowedKey(item, allowedKeys) { for (const key of allowedKeys) { const regex = new RegExp(key.replace(/\./g, '\\.').replace(/\*/g, '.*').replace(/%/g, '.*')); if (regex.test(item)) { return true; } } return false; } const detectNoSqlInjection = (value, level = 5) => { const limits = mongoLimit.filter((item) => { if (item.level <= level) { return item.keyword } }); const keywords = limits.map((item) => item.keyword); let result = false; keywords.forEach(item => { try { if (value.includes(item) && !item.includes('||') && !item.includes('/*')) { result = true; } } catch (error) { // console.log(error); } }); return result; } const sanitize = (data, options) => { if(!options?.level) options.level = 5; const { level } = options; if (typeof data === "string") { if(options?.allowedKeys?.includes(data)){ return data; } return noSQLSanitizer(data, level); } if (Array.isArray(data)) { return data.map((item) => { if (typeof item === "string") { return noSQLSanitizer(item, level); } if (Array.isArray(item) || typeof item === "object") { return sanitize(data, level); } return item; }); } if (typeof data === "object" && data !== null) { let sanitizedData = {}; Object.keys(data).forEach((key) => { let item = data[key]; if(options?.allowedKeys && containsAllowedKey(item, options.allowedKeys)){ sanitizedData[key] = item; } if (typeof item === "string") { sanitizedData[options.sanitizeKeys ? noSQLSanitizer(key, level) : key] = noSQLSanitizer(item, level); } else if(typeof item === "boolean" || typeof item === "number") { sanitizedData[key] = item } else if (Array.isArray(item) || typeof item === "object") { try { sanitizedData[options.sanitizeKeys ? noSQLSanitizer(key, level) : key] = sanitize(item, options); } catch (error) { sanitizedData[key] = item; } } }); return sanitizedData; } return data; }; const prepareSanitize = (data, options) => { return sanitize(data, options); }; module.exports = { prepareSanitize, detectNoSqlInjection };