https://github.com/klemenkozelj/fastify-mongodb-sanitizer

Fastify plugin that sanitizes client input to prevent potential MongoDB query injection attacks. 💽🥽
https://github.com/klemenkozelj/fastify-mongodb-sanitizer

fastify fastify-plugin javascript mongodb nodejs nodejs-server

Last synced: 9 months ago
JSON representation

Fastify plugin that sanitizes client input to prevent potential MongoDB query injection attacks. 💽🥽

• Host: GitHub
• URL: https://github.com/klemenkozelj/fastify-mongodb-sanitizer
• Owner: KlemenKozelj
• License: mit
• Created: 2021-12-20T16:41:13.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2025-02-21T09:00:38.000Z (over 1 year ago)
• Last Synced: 2025-08-10T21:45:26.567Z (10 months ago)
• Topics: fastify, fastify-plugin, javascript, mongodb, nodejs, nodejs-server
• Language: JavaScript
• Homepage:
• Size: 147 KB
• Stars: 8
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: MIT-LICENSE.txt

Awesome Lists containing this project

README

          
# fastify-mongodb-sanitizer

![CI/CD](https://github.com/KlemenKozelj/fastify-mongodb-sanitizer/actions/workflows/main.yml/badge.svg) ![Vulnerabilities](https://snyk.io/test/github/KlemenKozelj/fastify-mongodb-sanitizer/badge.svg)

Slim, well tested and zero dependencies Fastify plugin which through middleware sanitizes all user server inputs to increase overall security by preventing potential MongoDB database query injection attacks.

To further tighten the security please consider disabling server-side execution of JavaScript code or be extra cautious when running `$where` and `MapReduce` commands, taken from [MongoDB FAQ](https://www.mongodb.com/docs/manual/faq/fundamentals/#javascript).

## Install

```

npm install --save fastify-mongodb-sanitizer

```

## Usage

Package `fastify-mongodb-sanitizer` will in `preHandler` middleware hook remove all client server inputs (request URL parameters, query strings and body) starting with "$".

```js

const fastify = require('fastify')();

const fastifyMongoDbSanitizer = require('fastify-mongodb-sanitizer');

const fastifyMongodbsanitizerOptions = {

    params: true,

    query: true,

    body: true,

};

fastify

    .register(fastifyMongoDbSanitizer, fastifyMongodbsanitizerOptions)

    .get('/', (req, res) => res.send({ hello: 'world' }))

    .listen({ port: 3000 });

```

#### Example

In following POST request

```js

server.inject({

    method: 'POST',

    url: `/$aaaa?$bbbb=10&cccc=$gte&dddd=3`,

    payload: {

        a: 1,

        $eq: 2,

        c: ['$lte', 'd', true],

        e: {

            f: 1,

            $ge: true

        }

    },

})

```

sanatizer will remove all keys and values starting with $, expected result in handler function will be:

```js

function requestHandler(req, res) {

    req.params // {}

    req.query  // { dddd: 3 }

    req.body   // { a: 1, c: ['d', true], e: { f: 1 } }

}

```

stay safe :)