MongoSecure

MongoSecure is a nodejs module as an express.js middleware to prevent potential NoSQL Injection flaws that might allow hackers exploit the application and do unauthorized activities

I would like to thank x00 who gave me headstart to fix this issue and create a middleware for you. Originally asked question on stackoverflow

Why you need this

I have posted a complete article on dev.to about this showing how the application can be targeted and exploited against NoSQL Injection payloads.

You can find my article posted here: https://dev.to/tbhaxor/one-step-to-prevent-potential-nosql-injection-in-your-mongodb-application-40f9

Another reasons are as follows

1. Fix the above mentioned vulnerability without any complexity
2. Minimize the time to validate data and report it tainted
3. Slimline and fast
4. No additional skill/library required
5. Does not change original value of req.body. SEE THIS

Requirements

• NodeJS 10+
• Mongoose or MongoDB
• Express 4+

Installation

Install via NPM

npm i @tbhaxor/mongo-secure

Install via Yarn

yarn add @tbhaxor/mongo-secure

Usage

Require the package

// es6
import mongoSecure from '@tbhaxor/mongo-secure'
import express from 'express'

// commonjs
const express = require('express')
const mongoSecure = require('@tbhaxor/mongo-secure').default

const app = express()

app.use(express.json())
app.use(mongoSecure({ limit: 2, replaceWith: 'Insecure Property Detected' })) // use it after `express.json` middleware

To access the protected body, you can use req.protectedBody in the express router

app.post('/', function (req, res) {
  let myProtectedData = req.protectedBody
  res.json({ insecureData: req.body, securedData: myProtectedData })
})

API

The function requires two option fields limit and replaceWith

maxNestedLimit

DEPRECATION!!! This is deprecated please use limit instead

limit

It is numerical field, that accept a number starting from 1. It is basically the max number of nesting to be deserialized. Any nested property which is instanceof Object after that would be replaced with the replaceWith

replaceWith

It is a string feild that accepts any string, no contraint here. When the nested object hit the target limit, this text will be replaced with the object

For example, is limit is 1 and replaceWith is Unprotected then,

{ "name": "Gurkirat", "username": "tbhaxor", "address": { "country": "India", "location": "New Delhi" } }

would be converted as

{ "name": "Gurkirat", "username": "tbhaxor", "address": "Unprotected" }

Using other tech stacks

You can use mongo secure with other nodejs projects also. This module doesn't limits you to use expressjs.

To leverage this module in other platform you can use this example

Development

You can be the developer of mongo-secure module. To setup the development environment,

1. Fork the repository
2. Clone the repository (git clone git@github.com:<user-name>/mongo-secure.git)
3. Install the packages (yarn install)
4. Start the development

Test if your modification is working accurately or not

yarn test

Note If you are adding a feature, then you must include the test case in test/<feature-name>.spec.ts

For more information read the Contributing Guidelines

Licensing

@tbhaxor/mongo-secure is licensed under MIT License

Contact the Author

Follow the links to reach me

• Email: tbhaxor@gmail.com
• Twitter: @tbhaxor
• Facebook: @tbhaxor
• GitHub: @tbhaxor
• LinkedIn: @gurkirat--singh
• Instagram: @tbhaxor