Initial commit

fiznool · fiznool · commit ca8f67338671 · 2015-11-11T16:26:11.000Z
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,32 @@
+# Created by https://www.gitignore.io/api/node
+
+### Node ###
+# Logs
+logs
+*.log
+npm-debug.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directory
+# https://docs.npmjs.com/misc/faq#should-i-check-my-node-modules-folder-into-git
+node_modules
+
diff --git a/.jshintrc b/.jshintrc
@@ -0,0 +1,27 @@
+{
+  "node": true,
+  "expr": true,
+  "esnext": true,
+  "bitwise": true,
+  "curly": true,
+  "eqeqeq": true,
+  "immed": true,
+  "indent": 2,
+  "latedef": true,
+  "newcap": false,
+  "noarg": true,
+  "quotmark": "single",
+  "regexp": true,
+  "undef": true,
+  "unused": true,
+  "strict": true,
+  "trailing": true,
+  "smarttabs": true,
+  "globals": {
+    "afterEach": false,
+    "beforeEach": false,
+    "describe": false,
+    "expect": false,
+    "it": false
+  }
+}
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,6 @@
+language: node_js
+node_js:
+  - '0.10'
+  - '0.12'
+  - '4'
+  - '5'
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Tom Spencer.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -0,0 +1,44 @@
+# Express Mongoose Sanitize
+
+Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
+
+## Installation
+
+``` bash
+npm install express-mongo-sanitize
+```
+
+## Usage
+
+Add as a piece of express middleware, before defining your routes.
+
+``` js
+var express = require('express'),
+    bodyParser = require('body-parser'),
+    mongoSanitize = require('express-mongo-sanitize');
+
+var app = express();
+
+app.use(bodyParser.urlencoded({extended: true}));
+app.use(bodyParser.json());
+app.use(mongoSanitize());
+
+```
+
+## What?
+
+This module removes any keys in objects that begin with a `$` sign from `req.body`, `req.query` or `req.params`.
+
+## Why?
+
+Object keys starting with a `$` are _reserved_ for use by MongoDB as operators. Without this sanitization,  malicious users could send an object containing a `$` operator, which could change the context of a database operation. Most notorious is the `$where` operator, which can execute arbitrary JavaScript on the database.
+
+The best way to prevent this is to sanitize the received data, and remove any offending keys.
+
+## Credits
+
+Inspired by [mongo-sanitize](https://github.com/vkarpov15/mongo-sanitize).
+
+## License
+
+MIT
diff --git a/index.js b/index.js
@@ -0,0 +1,29 @@
+'use strict';
+
+var sanitize = function(val) {
+  if(Array.isArray(val)) {
+    val.forEach(sanitize);
+
+  } else if(val instanceof Object) {
+    Object.keys(val).forEach(function(key) {
+      if (/^\$/.test(key)) {
+        delete val[key];
+      } else {
+        sanitize(val[key]);
+      }
+    });
+  }
+
+  return val;
+};
+
+module.exports = function() {
+  return function(req, res, next) {
+    ['body', 'params', 'query'].forEach(function(k) {
+      if(req[k]) {
+        req[k] = sanitize(req[k]);
+      }
+    });
+    next();
+  };
+};
diff --git a/package.json b/package.json
@@ -0,0 +1,36 @@
+{
+  "name": "express-mongo-sanitize",
+  "version": "1.0.0",
+  "description": "Sanitize your express payload to prevent MongoDB operator injection.",
+  "main": "index.js",
+  "scripts": {
+    "test": "./node_modules/mocha/bin/mocha test.js"
+  },
+  "engines": {
+    "node": ">=0.10.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/fiznool/express-mongo-sanitize.git"
+  },
+  "keywords": [
+    "mongodb",
+    "express",
+    "middleware",
+    "operator",
+    "injection",
+    "security"
+  ],
+  "author": "Tom Spencer <fiznool@gmail.com>",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/fiznool/express-mongo-sanitize/issues"
+  },
+  "homepage": "https://github.com/fiznool/express-mongo-sanitize#readme",
+  "devDependencies": {
+    "body-parser": "^1.14.1",
+    "express": "^4.13.3",
+    "mocha": "^2.3.3",
+    "supertest": "^1.1.0"
+  }
+}
diff --git a/test.js b/test.js
@@ -0,0 +1,156 @@
+'use strict';
+
+var request = require('supertest'),
+    express = require('express'),
+    bodyParser = require('body-parser'),
+    sanitize = require('./index.js');
+
+describe('Express Mongo Sanitize', function() {
+  var app = express();
+  app.use(bodyParser.urlencoded({extended: true}));
+  app.use(bodyParser.json());
+  app.use(sanitize());
+
+  app.post('/body', function(req, res){
+    res.status(200).json({
+      body: req.body
+    });
+  });
+
+  app.get('/query', function(req, res){
+    res.status(200).json({
+      query: req.query
+    });
+  });
+
+  describe('Top-level object', function() {
+    it('should sanitize the query string', function(done) {
+      request(app)
+        .get('/query?q=search&$where=malicious')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          query: {
+            q: 'search'
+          }
+        }, done);
+    });
+
+    it('should sanitize a JSON body', function(done) {
+      request(app)
+        .post('/body')
+        .send({
+          q: 'search',
+          is: true,
+          and: 1,
+          even: null,
+          stop: undefined,
+          $where: 'malicious'
+        })
+        .set('Content-Type', 'application/json')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          body: {
+            q: 'search',
+            is: true,
+            and: 1,
+            even: null
+          }
+        }, done);
+    });
+
+    it('should sanitize a form url-encoded body', function(done) {
+      request(app)
+        .post('/body')
+        .send('q=search&$where=malicious')
+        .set('Content-Type', 'application/x-www-form-urlencoded')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          body: {
+            q: 'search'
+          }
+        }, done);
+    });
+  });
+
+  describe('Nested Object', function() {
+    it('should sanitize a nested object in the query string', function(done) {
+      request(app)
+        .get('/query?username[$gt]=')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          query: {
+            username: {}
+          }
+        }, done);
+    });
+
+    it('should sanitize a nested object in a JSON body', function(done) {
+      request(app)
+        .post('/body')
+        .send({
+          username: { $gt: '' }
+        })
+        .set('Content-Type', 'application/json')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          body: {
+            username: {}
+          }
+        }, done);
+    });
+
+    it('should sanitize a nested object in a form url-encoded body', function(done) {
+      request(app)
+        .post('/body')
+        .send('username[$gt]=')
+        .set('Content-Type', 'application/x-www-form-urlencoded')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          body: {
+            username: {}
+          }
+        }, done);
+    });
+  });
+
+  describe('Nested Object inside an Array', function() {
+    it('should sanitize a nested object in the query string', function(done) {
+      request(app)
+        .get('/query?username[0][$gt]=')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          query: {
+            username: [{}]
+          }
+        }, done);
+    });
+
+    it('should sanitize a nested object in a JSON body', function(done) {
+      request(app)
+        .post('/body')
+        .send({
+          username: [{ $gt: '' }]
+        })
+        .set('Content-Type', 'application/json')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          body: {
+            username: [{}]
+          }
+        }, done);
+    });
+
+    it('should sanitize a nested object in a form url-encoded body', function(done) {
+      request(app)
+        .post('/body')
+        .send('username[0][$gt]=')
+        .set('Content-Type', 'application/x-www-form-urlencoded')
+        .set('Accept', 'application/json')
+        .expect(200, {
+          body: {
+            username: [{}]
+          }
+        }, done);
+    });
+  });
+});
