{"id":20227633,"url":"https://github.com/panga/node-shield","last_synced_at":"2025-07-13T20:36:21.786Z","repository":{"id":36113107,"uuid":"221333841","full_name":"panga/node-shield","owner":"panga","description":"Protects against common Node.js vulnerabilities in MEAN stack (MongoDB, Node.js).","archived":false,"fork":false,"pushed_at":"2023-01-24T00:45:27.000Z","size":1182,"stargazers_count":7,"open_issues_count":18,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-11T22:03:15.282Z","etag":null,"topics":["express-middleware","nodejs","nosql-injection","owasp","security"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/panga.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-12T23:47:36.000Z","updated_at":"2023-05-25T06:34:30.000Z","dependencies_parsed_at":"2023-02-13T06:25:13.772Z","dependency_job_id":null,"html_url":"https://github.com/panga/node-shield","commit_stats":{"total_commits":22,"total_committers":2,"mean_commits":11.0,"dds":"0.045454545454545414","last_synced_commit":"adee1354dec2a27cd5d5f41585a88b9bd0505727"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/panga/node-shield","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panga%2Fnode-shield","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panga%2Fnode-shield/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panga%2Fnode-shield/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panga%2Fnode-shield/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/panga","download_url":"https://codeload.github.com/panga/node-shield/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panga%2Fnode-shield/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259482832,"owners_count":22864827,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["express-middleware","nodejs","nosql-injection","owasp","security"],"created_at":"2024-11-14T07:25:44.854Z","updated_at":"2025-07-13T20:36:21.764Z","avatar_url":"https://github.com/panga.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# node-shield\n\n[![npm version](https://badge.fury.io/js/node-shield.svg)](https://badge.fury.io/js/node-shield)\n[![Build Status](https://travis-ci.com/panga/node-shield.svg?branch=master)](https://travis-ci.com/panga/node-shield)\n\nProtects against common Node.js vulnerabilities in MEAN stack (MongoDB, Node.js).\n\nProvides an extremelly fast and low overhead API and Express 4.x middleware.\n\n- Executes in ~200ns (nanoseconds) for a payload with 10 keys and 500 bytes.\n- 100% code coverage.\n- Zero dependencies.\n- Supports Node 6+\n\n## Install\n\n`npm install node-shield`\n\n## Description\n\nThis module aims in protecting Node.js applications againt OWASP Injection (A1) attacks.\n\nOne of the most common attacks of MEAN stack is the MongoDB NoSQL injection using arbitraty input in request parameters.\n\nA second and more recent attack comes with JavaScript prototype pollution and it was seen in multiple libraries in last years ([Lodash](https://snyk.io/vuln/SNYK-JS-LODASH-450202), [Hapi.js](https://github.com/hapijs/hapi/issues/3916)), but it is also present if you use `Object.assign` API.\n\n**WARNING** This is not a replacement for good coding practices like:\n* Use parameterized queries to prevent injection flaws.\n* Always validate input parameters types (JSON Schema recommended)\n\n### MongoDB NoSQL protection\n\nBlock object keys which start with `$` operator for MongoDB. e.g: `username: { $gt: ''}`.\n\nReferences:\n* https://www.owasp.org/index.php/Testing_for_NoSQL_injection\n* https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html\n* https://blog.websecurify.com/2014/08/attacks-nodejs-and-mongodb-part-to.html\n\n### Prototype Pollution protection\n\nBlock object keys with names `__proto__` or `constructor` which are also an object.\n\nReferences:\n* https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf\n\n## API usage\n\n### Callback style\n\n```javascript\nconst { shield } = require('node-shield');\n\nshield.evaluate({ user: { $gt: '' } }, { mongo: true, proto: true },\n  (err) =\u003e {\n    if (err) {\n      throw err;\n    }\n  });\n```\n\n### Promise style\n\n```javascript\nconst { shield } = require('node-shield');\n\nshield.evaluateAsync({ user: { $gt: '' } }, { mongo: true, proto: true })\n  .catch((err) =\u003e {\n    throw err;\n  });\n```\n\n## Express 4.x middleware usage\n\nBy default, both `mongo` and `proto` protections are evaluated and the error handler return a `403` error.\nYou can do anything you would normally do in a express middleware.\nExample, but not limited to:\n- Log the injection attempt and continue to process the request\n- Log the injection attempt and response with an error\n\n```javascript\nconst express = require('express');\nconst { expressShield } = require('node-shield');\n\nconst app = express();\napp.use(express.urlencoded({ extended: true }));\napp.use(express.json());\napp.use(expressShield({\n  errorHandler: (shieldError, req, res, next) =\u003e {\n    console.error(shieldError);\n    res.sendStatus(400);\n  },\n}));\n\napp.listen(3000);\n```\n\n## License\n\n[Apache2.0](https://www.apache.org/licenses/LICENSE-2.0)\n\n## Author\n\nLeonardo Zanivan\n\u003cpanga@apache.org\u003e\n[www.panga.dev](https://panga.dev)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanga%2Fnode-shield","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpanga%2Fnode-shield","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanga%2Fnode-shield/lists"}