Slim, well tested and zero dependencies Fastify plugin which through middleware sanitizes all user server inputs to increase overall security by preventing potential MongoDB database query injection attacks.
To further tighten the security please consider disabling server-side execution of JavaScript code or be extra cautious when running $where and MapReduce commands, taken from MongoDB FAQ.
npm install --save fastify-mongodb-sanitizer
Package fastify-mongodb-sanitizer will in preHandler middleware hook remove all client server inputs (request URL parameters, query strings and body) starting with "$".
const fastify = require('fastify')();
const fastifyMongoDbSanitizer = require('fastify-mongodb-sanitizer');
const fastifyMongodbsanitizerOptions = {
params: true,
query: true,
body: true,
};
fastify
.register(fastifyMongoDbSanitizer, fastifyMongodbsanitizerOptions)
.get('/', (req, res) => res.send({ hello: 'world' }))
.listen({ port: 3000 });In following POST request
server.inject({
method: 'POST',
url: `/$aaaa?$bbbb=10&cccc=$gte&dddd=3`,
payload: {
a: 1,
$eq: 2,
c: ['$lte', 'd', true],
e: {
f: 1,
$ge: true
}
},
})sanatizer will remove all keys and values starting with $, expected result in handler function will be:
function requestHandler(req, res) {
req.params // {}
req.query // { dddd: 3 }
req.body // { a: 1, c: ['d', true], e: { f: 1 } }
}stay safe :)