fastify-mongodb-sanitizer
v1.2.4
Published
Fastify plugin for sanitizing client requests.
Downloads
857
Maintainers
Readme
fastify-mongodb-sanitizer
Slim, well tested and zero dependencies Fastify plugin which through middleware sanitizes all user server inputs to increase overall security by preventing potential MongoDB database query injection attacks.
To further tighten the security please consider disabling server-side execution of JavaScript code or be extra cautious when running $where
and MapReduce
commands, taken from MongoDB FAQ.
Install
npm install --save fastify-mongodb-sanitizer
Usage
Package fastify-mongodb-sanitizer
will in preHandler
middleware hook remove all client server inputs (request URL parameters, query strings and body) starting with "$".
const fastify = require('fastify')();
const fastifyMongoDbSanitizer = require('fastify-mongodb-sanitizer');
const fastifyMongodbsanitizerOptions = {
params: true,
query: true,
body: true,
};
fastify
.register(fastifyMongoDbSanitizer, fastifyMongodbsanitizerOptions)
.get('/', (req, res) => res.send({ hello: 'world' }))
.listen({ port: 3000 });
Example
In following POST request
server.inject({
method: 'POST',
url: `/$aaaa?$bbbb=10&cccc=$gte&dddd=3`,
payload: {
a: 1,
$eq: 2,
c: ['$lte', 'd', true],
e: {
f: 1,
$ge: true
}
},
})
sanatizer will remove all keys and values starting with $, expected result in handler function will be:
function requestHandler(req, res) {
req.params // {}
req.query // { dddd: 3 }
req.body // { a: 1, c: ['d', true], e: { f: 1 } }
}
stay safe :)