mongo-sanitizer is an Express.js middleware to protect your application from NoSQL injection attacks. It sanitizes req.body, req.query, req.params, and req.headers by replacing $ and . characters, which have special meaning in NoSQL queries.
NoSQL databases interpret $ and . as operators or for nested fields. Malicious input using these characters can lead to unauthorized data access or modification. mongo-sanitizer prevents this by providing sanitized copies of your request data (e.g., req.sanitizedBody), leaving original data untouched.
npm install mongo-sanitizer
or
yarn add mongo-sanitizer
Always use the sanitized prefixed properties (e.g., req.sanitizedBody) for secure data access.
Basic Application (for req.body, req.query, req.headers)
Apply mongo-sanitizer globally for most request data:
import express from 'express';
import mongoSanitizer from 'mongo-sanitizer';
const app = express();
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
// Apply globally
app.use(mongoSanitizer());
app.post('/api/data', (req, res) => {
// Use sanitized data
console.log('Sanitized Body:', req.sanitizedBody);
res.json({ sanitizedData: req.sanitizedBody });
});
app.listen(3000, () => console.log('Server running on port 3000'));Route-Specific Application (Crucial for req.params)
req.params are populated after route matching. For reliable sanitization, apply mongoSanitizer() directly within the route definition:
import express from 'express';
import mongoSanitizer from 'mongo-sanitizer';
const app = express();
app.use(express.json());
app.get('/api/users/:userId', mongoSanitizer(), (req, res) => {
// Use sanitized params
console.log('Sanitized Params:', req.sanitizedParams);
res.json({ sanitizedUserId: req.sanitizedParams?.userId });
});
app.listen(3000, () => console.log('Server running on port 3000'));Customize the middleware with an options object:
mongoSanitizer({
replaceWith?: string; // Default: '_'
fields?: ('body' | 'params' | 'query' | 'headers')[]; // Default: all
// ... other options for advanced use (onSanitize, dryRun, allowDots)
})Example: Replace with a dash, only sanitize body and query.
app.use(mongoSanitizer({ replaceWith: '-', fields: ['body', 'query'] }));You can also use helper functions for manual sanitization or checking:
import { sanitize, has } from 'mongo-sanitizer';
const maliciousString = 'user.$name';
const cleanedString = sanitize(maliciousString); // "user__name"
const containsMalicious = has('price.$lt'); // trueWhen using replaceWith: '' in the sanitizer middleware, there is a risk of key collisions and unexpected data changes.
This project is licensed under the MIT License - see the LICENSE file for details.