MongoSecure
MongoSecure is a nodejs module as an express.js middleware to prevent potential NoSQL Injection flaws that might allow hackers exploit the application and do unauthorized activities
I would like to thank x00 who gave me headstart to fix this issue and create a middleware for you. Originally asked question on stackoverflow
Why you need this
I have posted a complete article on dev.to about this showing how the application can be targeted and exploited against NoSQL Injection payloads.
You can find my article posted here: https://dev.to/tbhaxor/one-step-to-prevent-potential-nosql-injection-in-your-mongodb-application-40f9
Another reasons are as follows
- Fix the above mentioned vulnerability without any complexity
- Minimize the time to validate data and report it tainted
- Slimline and fast
- No additional skill/library required
- Does not change original value of
req.body
. SEE THIS
Requirements
- NodeJS 10+
- Mongoose or MongoDB
- Express 4+
Installation
Install via NPM
npm i @tbhaxor/mongo-secure
Install via Yarn
yarn add @tbhaxor/mongo-secure
Usage
Require the package
// es6
import mongoSecure from '@tbhaxor/mongo-secure'
import express from 'express'
// commonjs
const express = require('express')
const mongoSecure = require('@tbhaxor/mongo-secure').default
const app = express()
app.use(express.json())
app.use(mongoSecure({ limit: 2, replaceWith: 'Insecure Property Detected' })) // use it after `express.json` middleware
To access the protected body, you can use req.protectedBody
in the express router
app.post('/', function (req, res) {
let myProtectedData = req.protectedBody
res.json({ insecureData: req.body, securedData: myProtectedData })
})
API
The function requires two option fields limit
and replaceWith
maxNestedLimit
DEPRECATION!!! This is deprecated please use limit instead
limit
It is numerical field, that accept a number starting from 1
. It is basically the max number of nesting to be deserialized. Any nested property which is instanceof Object
after that would be replaced with the replaceWith
replaceWith
It is a string feild that accepts any string, no contraint here. When the nested object hit the target limit
, this text will be replaced with the object
For example, is limit is 1
and replaceWith is Unprotected
then,
{ "name": "Gurkirat", "username": "tbhaxor", "address": { "country": "India", "location": "New Delhi" } }
would be converted as
{ "name": "Gurkirat", "username": "tbhaxor", "address": "Unprotected" }
Using other tech stacks
You can use mongo secure with other nodejs projects also. This module doesn't limits you to use expressjs.
To leverage this module in other platform you can use this example
Development
You can be the developer of mongo-secure module. To setup the development environment,
- Fork the repository
- Clone the repository (
git clone git@github.com:<user-name>/mongo-secure.git
) - Install the packages (
yarn install
) - Start the development
Test if your modification is working accurately or not
yarn test
Note If you are adding a feature, then you must include the test case in test/<feature-name>.spec.ts
For more information read the Contributing Guidelines
Licensing
@tbhaxor/mongo-secure is licensed under MIT License
Contact the Author
Follow the links to reach me
- Email: tbhaxor@gmail.com
- Twitter: @tbhaxor
- Facebook: @tbhaxor
- GitHub: @tbhaxor
- LinkedIn: @gurkirat--singh
- Instagram: @tbhaxor