Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
This module searches for any keys in objects that begin with a $
sign or contain a .
, from req.body
, req.query
, req.headers
or req.params
. It can then either:
The behaviour is governed by the passed option, replaceWith
. Set this option to have the sanitizer replace the prohibited characters with the character passed in.
The config option allowDots
can be used to allow dots in the user-supplied data. In this case, only instances of $
will be sanitized.
See the spec file for more examples.
Object keys starting with a $
or containing a .
are reserved for use by MongoDB as operators. Without this sanitization, malicious users could send an object containing a $
operator, or including a .
, which could change the context of a database operation. Most notorious is the $where
operator, which can execute arbitrary JavaScript on the database.
The best way to prevent this is to sanitize the received data, and remove any offending keys, or replace the characters with a 'safe' one.
npm install express-mongo-sanitize
Add as a piece of express middleware, before defining your routes.
const express = require('express');
const bodyParser = require('body-parser');
const mongoSanitize = require('express-mongo-sanitize');
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
// By default, $ and . characters are removed completely from user-supplied input in the following places:
// - req.body
// - req.query
// - req.params
// - req.headers
// To remove data using these defaults:
app.use(mongoSanitize());
// Or, to replace these prohibited characters with _, use:
app.use(
mongoSanitize({
replaceWith: '_',
}),
);
// Or, to sanitize data that only contains $, without .(dot)
// Can be useful for letting data pass that is meant for querying nested documents.
// NOTE: This may cause some problems on older versions of MongoDb
// READ MORE: https://github.com/fiznool/express-mongo-sanitize/issues/36
app.use(
mongoSanitize({
allowDots: true,
}),
);
// Both allowDots and replaceWith
app.use(
mongoSanitize({
allowDots: true,
replaceWith: '_',
}),
);
onSanitize
onSanitize
callback is called after the request's value was sanitized.
app.use(
mongoSanitize({
onSanitize: ({ req, key }) => {
console.warn(`This request[${key}] is sanitized`, req);
},
}),
);
dryRun
You can run this middleware as dry run mode.
app.use(
mongoSanitize({
dryRun: true,
onSanitize: ({ req, key }) => {
console.warn(`[DryRun] This request[${key}] will be sanitized`, req);
},
}),
);
You can also bypass the middleware and use the module directly:
const mongoSanitize = require('express-mongo-sanitize');
const payload = {...};
// Remove any keys containing prohibited characters
mongoSanitize.sanitize(payload);
// Replace any prohibited characters in keys
mongoSanitize.sanitize(payload, {
replaceWith: '_'
});
// Exclude sanitization of . (dot), only sanitize data that contains $.
// NOTE: This may cause some problems on older versions of MongoDb
// READ MORE: https://github.com/fiznool/express-mongo-sanitize/issues/36
mongoSanitize.sanitize(payload, {
allowDots: true
});
// Both allowDots and replaceWith
mongoSanitize.sanitize(payload, {
allowDots: true,
replaceWith: '_'
});
// Check if the payload has keys with prohibited characters
const hasProhibited = mongoSanitize.has(payload);
// Check if the payload has keys with prohibited characters (`.` is excluded).
// If the payload only has `.` it will return false (since it doesn't see the data with `.` as malicious)
const hasProhibited = mongoSanitize.has(payload, true);
PRs are welcome! Please add test coverage for any new features or bugfixes, and make sure to run npm run prettier
before submitting a PR to ensure code consistency.
Inspired by mongo-sanitize.
MIT