Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
npm install express-mongo-sanitizeAdd as a piece of express middleware, before defining your routes.
var express = require('express'),
bodyParser = require('body-parser'),
mongoSanitize = require('express-mongo-sanitize');
var app = express();
app.use(bodyParser.urlencoded({extended: true}));
app.use(bodyParser.json());
app.use(mongoSanitize());This module removes any keys in objects that begin with a $ sign from req.body, req.query or req.params.
Object keys starting with a $ are reserved for use by MongoDB as operators. Without this sanitization, malicious users could send an object containing a $ operator, which could change the context of a database operation. Most notorious is the $where operator, which can execute arbitrary JavaScript on the database.
The best way to prevent this is to sanitize the received data, and remove any offending keys.
Inspired by mongo-sanitize.
MIT
![@dependabot-preview[bot]](https://avatars.githubusercontent.com/in/2141?s=64&v=4){kind=small}
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}