UNPKG

qgenutils

Version:

A security-first Node.js utility library providing authentication, HTTP operations, URL processing, validation, datetime formatting, and template rendering. Designed as a lightweight alternative to heavy npm packages with comprehensive error handling and

93 lines (81 loc) 3.32 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/** * Recursively Sanitize Object Properties to Prevent Injection Attacks * * RATIONALE: Complex data structures from user input (JSON payloads, form data) * may contain malicious content in nested properties. This function provides * deep sanitization while preserving data structure and types. * * SECURITY APPROACH: * - Recursively traverse all object properties and array elements * - Apply string sanitization to all string values and property keys * - Preserve non-string data types (numbers, booleans, null) * - Handle circular references and deep nesting gracefully * - Maintain original object structure for compatibility * * @param {any} obj - Object, array, or primitive to sanitize recursively * @returns {any} Sanitized copy with same structure but safe string values * @throws Never throws - returns sanitized version or empty object on error */ // Defensive require for qerrors to prevent test environment failures let qerrors; try { const qerrorsModule = require('qerrors'); qerrors = qerrorsModule && qerrorsModule.qerrors ? qerrorsModule.qerrors : (qerrorsModule && qerrorsModule.default) ? qerrorsModule.default : qerrorsModule; } catch (err) { // Provide a no-op fallback so tests won't fail if qerrors is absent qerrors = function () { /* no-op error reporter for test envs */ }; } const logger = require('../logger'); const sanitizeString = require('../utilities/string/sanitizeString'); function sanitizeObjectRecursively(obj, seen = new WeakSet()) { try { // Handle string values directly if (typeof obj === 'string') { return sanitizeString(obj); } // Handle arrays by mapping over elements if (Array.isArray(obj)) { // Check for circular references if (seen.has(obj)) { logger.warn('sanitizeObjectRecursively detected circular reference in array'); return '[circular]'; } seen.add(obj); const result = obj.map(item => sanitizeObjectRecursively(item, seen)); seen.delete(obj); return result; } // Handle objects by sanitizing both keys and values if (typeof obj === 'object' && obj !== null) { // Check for circular references if (seen.has(obj)) { logger.warn('sanitizeObjectRecursively detected circular reference in object'); return '[circular]'; } seen.add(obj); const sanitized = {}; for (const [key, value] of Object.entries(obj)) { const sanitizedKey = sanitizeString(key); sanitized[sanitizedKey] = sanitizeObjectRecursively(value, seen); } seen.delete(obj); return sanitized; } // Return primitives (numbers, booleans, null, undefined) unchanged return obj; } catch (error) { qerrors(error, 'sanitizeObjectRecursively', { objType: typeof obj, isArray: Array.isArray(obj), errorMessage: error.message }); logger.error('sanitizeObjectRecursively failed with unexpected error', { error: error.message, stack: error.stack, objType: typeof obj }); // Return empty object as safe fallback for objects, empty string for others return typeof obj === 'object' && obj !== null && !Array.isArray(obj) ? {} : ''; } } module.exports = sanitizeObjectRecursively;