search

pariazar / perfect-express-sanitizer

a complete package to control user input data to prevent Cross Site Scripting (XSS) ,Sql injection and no Sql injection attack
https://www.npmjs.com/package/perfect-express-sanitizer
MIT License
17 stars 2 forks source link

Doesn't sanitize for nosql(mongodb) when used as express middleware. #25

Closed void5253 closed 2 months ago

void5253 commented 5 months ago 
import sanitizer from "perfect-express-sanitizer";

app.use(
  sanitizer.clean({
    xss: true,
    noSql: true,
    noSqlLevel: 5,
  })
);

I have a collection of mongodb users, and a '/login' route.

const user = await User.findOne({ email }).select("+password") //Want to prevent nosql injection here

If I send a request with body:

{
  "email": {"$gt": ""},
  "password": "test1234"
}

I'm expecting middleware to sanitize request to stop nosql injection. But, the request succeeds and I'm able to login even though I expect the middleware to stop this.

{
    "status": "success",
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY2MTQxYmNhMGQzNTZlOGI5M2E3ZjkyYiIsImlhdCI6MTcxMjY2Mjc1OCwiZXhwIjoxNzE1MjU0NzU4fQ.CH7wXtxtbes_UsXtYMubn2ISCv-1tuxHegYJmbZFXtU",
    "user": {
        "_id": "66141bca0d356e8b93a7f92b",
        "name": "abc",
        "email": "abc@gmail.com",
        "role": "user",
        "passwordChangedAt": "2024-04-08T17:32:29.715Z",
        "__v": 0
    }
}
pariazar commented 5 months ago

By default, keys are not sanitized. However, if you want to sanitize keys, you can use the sanitizeKeys option available in version 2.0.2 or later.

app.use(
  sanitizer.clean({
    xss: true,
    noSql: true,
    noSqlLevel: 5,
    sanitizeKeys: true,
  })
);