Skip to content
Protects against common Node.js vulnerabilities in MEAN stack (MongoDB, Node.js).
TypeScript JavaScript
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
dist
samples
src Fix export Nov 14, 2019
test
.editorconfig
.eslintrc.json
.gitignore Initial commit Nov 12, 2019
.travis.yml
LICENSE
README.md
jest.config.js Working version Nov 13, 2019
package-lock.json
package.json README Nov 14, 2019
tsconfig.json

README.md

node-shield

npm version Build Status

Protects against common Node.js vulnerabilities in MEAN stack (MongoDB, Node.js).

Provides an extremelly fast and low overhead API and Express 4.x middleware.

  • Executes in ~200ns (nanoseconds) for a payload with 10 keys and 500 bytes.
  • 100% code coverage.
  • Zero dependencies.
  • Supports Node 6+

Install

npm install node-shield

Description

This module aims in protecting Node.js applications againt OWASP Injection (A1) attacks.

One of the most common attacks of MEAN stack is the MongoDB NoSQL injection using arbitraty input in request parameters.

A second and more recent attack comes with JavaScript prototype pollution and it was seen in multiple libraries in last years (Lodash, Hapi.js), but it is also present if you use Object.assign API.

WARNING This is not a replacement for good coding practices like:

  • Use parameterized queries to prevent injection flaws.
  • Always validate input parameters types (JSON Schema recommended)

MongoDB NoSQL protection

Block object keys which start with $ operator for MongoDB. e.g: username: { $gt: ''}.

References:

Prototype Pollution protection

Block object keys with names __proto__ or constructor which are also an object.

References:

API usage

Callback style

const { shield } = require('node-shield');

shield.evaluate({ user: { $gt: '' } }, { mongo: true, proto: true },
  (err) => {
    if (err) {
      throw err;
    }
  });

Promise style

const { shield } = require('node-shield');

shield.evaluateAsync({ user: { $gt: '' } }, { mongo: true, proto: true })
  .catch((err) => {
    throw err;
  });

Express 4.x middleware usage

By default, both mongo and proto protections are evaluated and the error handler return a 403 error. You can do anything you would normally do in a express middleware. Example, but not limited to:

  • Log the injection attempt and continue to process the request
  • Log the injection attempt and response with an error
const express = require('express');
const { expressShield } = require('node-shield');

const app = express();
app.use(express.urlencoded({ extended: true }));
app.use(express.json());
app.use(expressShield({
  errorHandler: (shieldError, req, res, next) => {
    console.error(shieldError);
    res.sendStatus(400);
  },
}));

app.listen(3000);

License

Apache2.0

Author

Leonardo Zanivan panga@apache.org www.panga.dev

You can’t perform that action at this time.