Merge github.com:fiznool/express-mongo-sanitize

.github/dependabot.yml

@@ -0,0 +1,24 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: '/'
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+    ignore:
+      - dependency-name: eslint
+        versions:
+          - 7.18.0
+          - 7.19.0
+          - 7.20.0
+          - 7.21.0
+          - 7.23.0
+      - dependency-name: mocha
+        versions:
+          - 8.3.0
+          - 8.3.1
+      - dependency-name: chai
+        versions:
+          - 4.3.0
+          - 4.3.1
+          - 4.3.3

.github/workflows/nodejs.yml

@@ -2,26 +2,25 @@ name: Node.js CI
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
 
     strategy:
       matrix:
-        node-version: [10.x, 12.x, 14.x]
+        node-version: [10.x, 12.x, 14.x, 16.x]
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v1
-      with:
-        node-version: ${{ matrix.node-version }}
-    - run: npm ci
-    - run: npm test
-      env:
-        CI: true
+      - uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: npm test
+        env:
+          CI: true

.prettierrc

@@ -0,0 +1,5 @@
+{
+  "bracketSpacing": true,
+  "singleQuote": true,
+  "trailingComma": "all"
+}

CHANGELOG.md

@@ -1,56 +1,87 @@
 # Change Log
+
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [2.1.0] - 2021-05-11
+
+### Added
+
+- New `config` options:
+  - `onSanitize` callback: this will be called after the request's value was sanitized, with two named parameters: the `key` that was sanitized, and the raw `req` object.
+  - `dryRun` boolean: if set, sanitization will not take place. Useful when combined with `onSanitize` to report on the keys which _would have_ been sanitized.
+- TypeScript types
+- Official support for node v16.
+
 ## [2.0.2] - 2021-01-07
+
 ### Fixed
+
 - Fixed a prototype pollution security vulnerability. #34
 
 ### Updated
+
 - Update dependencies.
 
 ## [2.0.1] - 2020-12-02
+
 ### Updated
+
 - Update dependencies and test against node 14.
 
 ### Changed
+
 - Use ESLint instead of JSHint for code linting.
 - Use GitHub Actions for CI instead of Travis.
 
 ## [2.0.0] - 2020-03-25
+
 ### Added / Breaking
+
 - Support sanitization of headers. #5
 
 Note that if you weren't previously expecting headers to be sanitized, this is considered a breaking change.
 
 ### Breaking
+
 - Drop support for node versions < 10.
 
 ## [1.3.2] - 2017-01-12
+
 ### Fixed
+
 - Fixed an issue when using the sanitizer in the node REPL. #3
 
 ## [1.3.1] - 2017-01-12
+
 ### Fixed
+
 - Fixed an issue with objects containing prohibited keys nested inside other objects with prohibited keys. #2
 - Added a more robust check for plain objects.
 
 ## [1.3.0] - 2016-01-15
+
 ### Added
+
 - A new function `has`, which checks whether a passed object/array contains any keys with prohibited characters.
 
 ## [1.2.0] - 2016-01-13
+
 ### Added
+
 - A new option `replaceWith` which can be used to replace offending characters in a key. This is an alternative to removing the data from the payload.
 
 ## [1.1.0] - 2016-01-13
+
 ### Added
+
 - The middleware also now sanitizes keys with a `.`. This is in line with Mongo's reserved operators.
 
 ## 1.0.0 - 2015-11-11
 
 Initial Release.
 
+[2.1.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.2...v2.1.0
 [2.0.2]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.1...v2.0.2
 [2.0.1]: https://github.com/fiznool/express-mongo-sanitize/compare/v2.0.0...v2.0.1
 [2.0.0]: https://github.com/fiznool/express-mongo-sanitize/compare/v1.3.2...v2.0.0

README copy.md

@@ -0,0 +1,150 @@
+# Express Mongoose Sanitize
+
+Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
+
+[![Build Status](https://github.com/fiznool/express-mongo-sanitize/workflows/Node.js%20CI/badge.svg)](https://github.com/fiznool/express-mongo-sanitize/workflows/Node.js%20CI/badge.svg)
+[![npm version](https://img.shields.io/npm/v/express-mongo-sanitize)](https://img.shields.io/npm/v/express-mongo-sanitize)
+[![npm downloads per week](https://img.shields.io/npm/dw/express-mongo-sanitize?color=blue)](https://img.shields.io/npm/dw/express-mongo-sanitize?color=blue)
+[![Dependency Status](https://david-dm.org/fiznool/express-mongo-sanitize.svg)](https://david-dm.org/fiznool/express-mongo-sanitize)
+[![devDependency Status](https://david-dm.org/fiznool/express-mongo-sanitize/dev-status.svg)](https://david-dm.org/fiznool/express-mongo-sanitize#info=devDependencies)
+
+## Installation
+
+```bash
+npm install express-mongo-sanitize
+```
+
+## Usage
+
+Add as a piece of express middleware, before defining your routes.
+
+```js
+const express = require('express');
+const bodyParser = require('body-parser');
+const mongoSanitize = require('express-mongo-sanitize');
+
+const app = express();
+
+app.use(bodyParser.urlencoded({ extended: true }));
+app.use(bodyParser.json());
+
+// To remove data, use:
+app.use(mongoSanitize());
+
+// Or, to replace prohibited characters with _, use:
+app.use(
+  mongoSanitize({
+    replaceWith: '_',
+  }),
+);
+
+// Or, to sanitize data that only contains $, without .(dot)
+// Can be useful for letting data pass that is meant for querying nested documents. NOTE: This may cause some problems on older versions of MongoDb
+// READ MORE: https://github.com/fiznool/express-mongo-sanitize/issues/36
+app.use(
+  mongoSanitize({
+    allowDots: true,
+  }),
+);
+
+// Both allowDots and replaceWith
+app.use(
+  mongoSanitize({
+    allowDots: true,
+    replaceWith: '_',
+  }),
+);
+```
+
+### `onSanitize`
+
+`onSanitize` callback is called after the request's value was sanitized.
+
+```js
+app.use(
+  mongoSanitize({
+    onSanitize: ({ req, key }) => {
+      console.warn(`This request[${key}] is sanitized`, req);
+    },
+  }),
+);
+```
+
+### `dryRun`
+
+You can run this middleware as dry run mode.
+
+```js
+app.use(
+  mongoSanitize({
+    dryRun: true,
+    onSanitize: ({ req, key }) => {
+      console.warn(`[DryRun] This request[${key}] will be sanitized`, req);
+    },
+  }),
+);
+```
+
+### Node Modules API
+
+You can also bypass the middleware and use the module directly:
+
+```js
+const mongoSanitize = require('express-mongo-sanitize');
+
+const payload = {...};
+
+// Remove any keys containing prohibited characters
+mongoSanitize.sanitize(payload);
+
+// Replace any prohibited characters in keys
+mongoSanitize.sanitize(payload, {
+  replaceWith: '_'
+});
+
+// Exclude sanitization of . (dot), only sanitize data that contains $. This may cause some problems on older versions of mongo db
+mongoSanitize.sanitize(payload, {
+  allowDots: true
+});
+
+// Both allowDots and replaceWith
+mongoSanitize.sanitize(payload, {
+  allowDots: true,
+  replaceWith: '_'
+});
+
+// Check if the payload has keys with prohibited characters
+const hasProhibited = mongoSanitize.has(payload);
+
+// Check if the payload has keys with prohibited characters (`.` excluded)
+const hasProhibited = mongoSanitize.has(payload, true);
+```
+
+## What?
+
+This module searches for any keys in objects that begin with a `$` sign or contain a `.`, from `req.body`, `req.query` or `req.params`. It can then either:
+
+- completely remove these keys and associated data from the object, or
+- replace the prohibited characters with another allowed character.
+
+The behaviour is governed by the passed option, `replaceWith`. Set this option to have the sanitizer replace the prohibited characters with the character passed in.
+
+See the spec file for more examples.
+
+## Why?
+
+Object keys starting with a `$` or containing a `.` are _reserved_ for use by MongoDB as operators. Without this sanitization, malicious users could send an object containing a `$` operator, or including a `.`, which could change the context of a database operation. Most notorious is the `$where` operator, which can execute arbitrary JavaScript on the database.
+
+The best way to prevent this is to sanitize the received data, and remove any offending keys, or replace the characters with a 'safe' one.
+
+## Contributing
+
+PRs are welcome! Please add test coverage for any new features or bugfixes, and make sure to run `npm run prettier` before submitting a PR to ensure code consistency.
+
+## Credits
+
+Inspired by [mongo-sanitize](https://github.com/vkarpov15/mongo-sanitize).
+
+## License
+
+MIT