New Personal Mail

    This package has been deprecated

    Author message:

    Project is no longer maintained

    @tbhaxor/mongo-secure
    TypeScript icon, indicating that this package has built-in type declarations

    1.0.3 • Public • Published

    MongoSecure Pre-merge Testing GitHub



    MongoSecure is a nodejs module as an express.js middleware to prevent potential NoSQL Injection flaws that might allow hackers exploit the application and do unauthorized activities

    I would like to thank x00 who gave me headstart to fix this issue and create a middleware for you. Originally asked question on stackoverflow

    Why you need this

    I have posted a complete article on dev.to about this showing how the application can be targeted and exploited against NoSQL Injection payloads.

    You can find my article posted here: https://dev.to/tbhaxor/one-step-to-prevent-potential-nosql-injection-in-your-mongodb-application-40f9

    Another reasons are as follows

    1. Fix the above mentioned vulnerability without any complexity
    2. Minimize the time to validate data and report it tainted
    3. Slimline and fast
    4. No additional skill/library required
    5. Does not change original value of req.body. SEE THIS

    Requirements

    • NodeJS 10+
    • Mongoose or MongoDB
    • Express 4+

    Installation

    Install via NPM

    npm i @tbhaxor/mongo-secure
    

    Install via Yarn

    yarn add @tbhaxor/mongo-secure
    

    Usage

    Require the package

    // es6
    import mongoSecure from '@tbhaxor/mongo-secure'
    import express from 'express'
    
    // commonjs
    const express = require('express')
    const mongoSecure = require('@tbhaxor/mongo-secure').default
    
    const app = express()
    
    app.use(express.json())
    app.use(mongoSecure({ limit: 2, replaceWith: 'Insecure Property Detected' })) // use it after `express.json` middleware

    To access the protected body, you can use req.protectedBody in the express router

    app.post('/', function (req, res) {
      let myProtectedData = req.protectedBody
      res.json({ insecureData: req.body, securedData: myProtectedData })
    })

    API

    The function requires two option fields limit and replaceWith

    maxNestedLimit

    DEPRECATION!!! This is deprecated please use limit instead

    limit

    It is numerical field, that accept a number starting from 1. It is basically the max number of nesting to be deserialized. Any nested property which is instanceof Object after that would be replaced with the replaceWith

    replaceWith

    It is a string feild that accepts any string, no contraint here. When the nested object hit the target limit, this text will be replaced with the object

    For example, is limit is 1 and replaceWith is Unprotected then,

    { "name": "Gurkirat", "username": "tbhaxor", "address": { "country": "India", "location": "New Delhi" } }

    would be converted as

    { "name": "Gurkirat", "username": "tbhaxor", "address": "Unprotected" }

    Using other tech stacks

    You can use mongo secure with other nodejs projects also. This module doesn't limits you to use expressjs.

    To leverage this module in other platform you can use this example

    Development

    You can be the developer of mongo-secure module. To setup the development environment,

    1. Fork the repository
    2. Clone the repository (git clone git@github.com:<user-name>/mongo-secure.git)
    3. Install the packages (yarn install)
    4. Start the development

    Test if your modification is working accurately or not

    yarn test
    

    Note If you are adding a feature, then you must include the test case in test/<feature-name>.spec.ts

    For more information read the Contributing Guidelines

    Licensing

    @tbhaxor/mongo-secure is licensed under MIT License

    Contact the Author

    Follow the links to reach me

    Install

    npm i @tbhaxor/mongo-secure

    DownloadsWeekly Downloads

    1

    Version

    1.0.3

    License

    MIT

    Unpacked Size

    24.4 kB

    Total Files

    29

    Last publish

    Collaborators

    • tbhaxor