Adding options.allowDots (#41)

Squashed commit of the following:

commit f85e51644ed68a74dd5fbe7a79c17e62e02aed01
Author: Tom Spencer <[email protected]>
Date:   Fri Jan 14 10:47:41 2022 +0000

    Removed unnecessary file

commit 059be6ba7fb8a4d6e80147a94b03a064f1a43fcc
Merge: 565c1ea 55a16c7
Author: Tom Spencer <[email protected]>
Date:   Fri Jan 14 10:46:46 2022 +0000

    Merge branch 'master' of github.com:Blagoj5/express-mongo-sanitize into Blagoj5-master

commit 55a16c7
Merge: 16534f2 9cc5240
Author: Blagoj <[email protected]>
Date:   Wed May 12 18:22:57 2021 +0200

    Merge github.com:fiznool/express-mongo-sanitize

commit 16534f2
Author: Blagoj <[email protected]>
Date:   Wed May 12 17:07:35 2021 +0200

    Clean code and fix tests

commit 565c1ea
Author: Tom Spencer <[email protected]>
Date:   Tue May 11 16:47:57 2021 +0100

    Bump package version to 2.1.0

commit 05e39bb
Author: Blagoj <[email protected]>
Date:   Sat Jan 23 16:40:25 2021 +0100

    feat: Adding new options (options.allowDots)

    Adding new option/feature, options.allowDots that is used for skipping the sanitization of data that has .(dot). This can be useful for nested document quering for mongoDb: https://docs.mongodb.com/manual/tutorial/query-embedded-documents/

    Creating new tests that include the new option

    Updating the documentation (README.md) file for the new option

    Adressing issue: #36

commit 287075b
Author: Blagoj <[email protected]>
Date:   Sat Jan 23 16:38:15 2021 +0100

    feat: Adding new options (options.allowDots)

    Adding new option/feature, options.allowDots that is used for skipping the sanitization of data that has .(dot). This can be useful for nested document quering for mongoDb: https://docs.mongodb.com/manual/tutorial/query-embedded-documents/

    Creating new tests that include the new option

    Updating the documentation (README.md) file for the new option

    Adressing issue: #36

commit aec9249
Author: Blagoj <[email protected]>
Date:   Sat Jan 23 16:17:53 2021 +0100

    feat: Adding new options (options.allowDots)

    Adding new option/feature, options.allowDots that is used for skipping the sanitization of data that has .(dot). This can be useful for nested document quering for mongoDb: https://docs.mongodb.com/manual/tutorial/query-embedded-documents/

    Creating new tests that include the new option

    Updating the documentation (README.md) file for the new option

    Adressing issue: #36

Author: fiznool

Diff for: README.md

@@ -37,6 +37,23 @@ app.use(
     replaceWith: '_',
   }),
 );
+
+// Or, to sanitize data that only contains $, without .(dot)
+// Can be useful for letting data pass that is meant for querying nested documents. NOTE: This may cause some problems on older versions of MongoDb
+// READ MORE: https://github.com/fiznool/express-mongo-sanitize/issues/36
+app.use(
+  mongoSanitize({
+    allowDots: true,
+  }),
+);
+
+// Both allowDots and replaceWith
+app.use(
+  mongoSanitize({
+    allowDots: true,
+    replaceWith: '_',
+  }),
+);
 ```
 
 ### `onSanitize`
@@ -85,8 +102,22 @@ mongoSanitize.sanitize(payload, {
   replaceWith: '_'
 });
 
+// Exclude sanitization of . (dot), only sanitize data that contains $. This may cause some problems on older versions of mongo db
+mongoSanitize.sanitize(payload, {
+  allowDots: true
+});
+
+// Both allowDots and replaceWith
+mongoSanitize.sanitize(payload, {
+  allowDots: true,
+  replaceWith: '_'
+});
+
 // Check if the payload has keys with prohibited characters
 const hasProhibited = mongoSanitize.has(payload);
+
+// Check if the payload has keys with prohibited characters (`.` is excluded). So if the payload only has `.` it will return false (since it doesn't see the data with `.` as a malicious data)
+const hasProhibited = mongoSanitize.has(payload, true);
 ```
 
 ## What?

Diff for: index.d.ts

@@ -5,6 +5,7 @@ declare namespace ExpressMongoSanitize {
     replaceWith?: string;
     onSanitize?: (params: { key: string; req: Request }) => void;
     dryRun?: boolean;
+    allowDots?: boolean;
   }
 }
 
@@ -27,7 +28,10 @@ type Middleware = {
    * Check if the payload has keys with prohibited characters‘
    * @param target
    */
-  has(target: Record<string, unknown> | unknown[]): boolean;
+  has(
+    target: Record<string, unknown> | unknown[],
+    allowDots?: boolean,
+  ): boolean;
 };
 
 declare const ExpressMongoSanitize: Middleware & {

Diff for: index.js

@@ -1,12 +1,17 @@
 'use strict';
 
 const TEST_REGEX = /^\$|\./;
+const TEST_REGEX_WITHOUT_DOT = /^\$/;
 const REPLACE_REGEX = /^\$|\./g;
 
 function isPlainObject(obj) {
   return typeof obj === 'object' && obj !== null;
 }
 
+function getTestRegex(allowDots) {
+  return allowDots ? TEST_REGEX_WITHOUT_DOT : TEST_REGEX;
+}
+
 function withEach(target, cb) {
   (function act(obj) {
     if (Array.isArray(obj)) {
@@ -23,10 +28,12 @@ function withEach(target, cb) {
   })(target);
 }
 
-function has(target) {
+function has(target, allowDots) {
+  const regex = getTestRegex(allowDots);
+
   let hasProhibited = false;
   withEach(target, function (obj, val, key) {
-    if (TEST_REGEX.test(key)) {
+    if (regex.test(key)) {
       hasProhibited = true;
       return { shouldRecurse: false };
     } else {
@@ -38,17 +45,19 @@ function has(target) {
 }
 
 function _sanitize(target, options) {
+  const regex = getTestRegex(options.allowDots);
+
   let isSanitized = false;
   let replaceWith = null;
-  let dryRun = Boolean(options.dryRun);
-  if (!TEST_REGEX.test(options.replaceWith)) {
+  const dryRun = Boolean(options.dryRun);
+  if (!regex.test(options.replaceWith) && options.replaceWith !== '.') {
     replaceWith = options.replaceWith;
   }
 
   withEach(target, function (obj, val, key) {
     let shouldRecurse = true;
 
-    if (TEST_REGEX.test(key)) {
+    if (regex.test(key)) {
       isSanitized = true;
       // if dryRun is enabled, do not modify the target
       if (dryRun) {