Nero Punished Miscreants

    fastify-mongodb-sanitizer

    1.1.0 • Public • Published

    fastify-mongodb-sanitizer

    CI/CD Vulnerabilities

    Slim, well tested and zero dependencies Fastify plugin which through middleware sanitizes all user server inputs to increase overall security by preventing potential MongoDB database query injection attacks. To further tighten the security please consider disabling server-side execution of JavaScript code or be extra cautious when running $where and MapReduce commands, taken from MongoDB FAQ.

    Install

    npm install --save fastify-mongodb-sanitizer
    

    Usage

    Package fastify-mongodb-sanitizer will in preHandler middleware hook remove all client server inputs (request URL parameters, query strings and body) starting with "$".

    const fastify = require('fastify')();
    const fastifyMongoDbSanitizer = require('fastify-mongodb-sanitizer');
    
    const fastifyMongodbsanitizerOptions = {
        params: true,
        query: true,
        body: true,
    };
    
    fastify
        .register(fastifyMongoDbSanitizer, fastifyMongodbsanitizerOptions)
        .get('/', (req, res) => res.send({ hello: 'world' }))
        .listen({ port: 3000 });

    Example

    In following POST request

    server.inject({
        method: 'POST',
        url: `/$aaaa?$bbbb=10&cccc=$gte&dddd=3`,
        payload: {
            a: 1,
            $eq: 2,
            c: ['$lte', 'd', true],
            e: {
                f: 1,
                $ge: true
            }
        },
    })

    sanatizer will remove all keys and values starting with $, expected result in handler function will be:

    function requestHandler(req, res) {
        req.params // {}
        req.query  // { dddd: 3 }
        req.body   // { a: 1, c: ['d', true], e: { f: 1 } }
    }

    stay safe :)

    Install

    npm i fastify-mongodb-sanitizer

    DownloadsWeekly Downloads

    62

    Version

    1.1.0

    License

    MIT

    Unpacked Size

    10.4 kB

    Total Files

    9

    Last publish

    Collaborators

    • klemenkozelj