An Express 4.x middleware who prevent NoSQL injection
npm install mongo-express-sanitize
Add as a piece of express middleware, after body-parser and before defining your routes.
var express =bodyParser =mongoSanitize = ;var app = ;app;app;// To remove data, use:app;
The middleware search into
req.params and delete all key than begin with
$. This is a recursive function, it will call itself each time a JSON is found.
Object keys starting with a
$ is reserved for use by MongoDB as operator. Without this sanitization, malicious users could send an object containing a
$ operator which could change the context of a database operation. Most notorious is the
The best way to prevent this is to sanitize the received data, and remove any offending keys.
Inspired by express-mongo-sanitize.