Adding options.allowDots (#41)

Squashed commit of the following: commit f85e51644ed68a74dd5fbe7a79c17e62e02aed01 Author: Tom Spencer <tom.spencer@studiozeffa.com> Date: Fri Jan 14 10:47:41 2022 +0000 Removed unnecessary file commit 059be6ba7fb8a4d6e80147a94b03a064f1a43fcc Merge: 565c1ea 55a16c7 Author: Tom Spencer <tom.spencer@studiozeffa.com> Date: Fri Jan 14 10:46:46 2022 +0000 Merge branch 'master' of github.com:Blagoj5/express-mongo-sanitize into Blagoj5-master commit 55a16c7 Merge: 16534f2 9cc5240 Author: Blagoj <blagoj.petrov5@gmail.com> Date: Wed May 12 18:22:57 2021 +0200 Merge github.com:fiznool/express-mongo-sanitize commit 16534f2 Author: Blagoj <blagoj.petrov5@gmail.com> Date: Wed May 12 17:07:35 2021 +0200 Clean code and fix tests commit 565c1ea Author: Tom Spencer <tom.spencer@studiozeffa.com> Date: Tue May 11 16:47:57 2021 +0100 Bump package version to 2.1.0 commit 05e39bb Author: Blagoj <blagoj.petrov5@gmail.com> Date: Sat Jan 23 16:40:25 2021 +0100 feat: Adding new options (options.allowDots) Adding new option/feature, options.allowDots that is used for skipping the sanitization of data that has .(dot). This can be useful for nested document quering for mongoDb: https://docs.mongodb.com/manual/tutorial/query-embedded-documents/ Creating new tests that include the new option Updating the documentation (README.md) file for the new option Adressing issue: #36 commit 287075b Author: Blagoj <blagoj.petrov5@gmail.com> Date: Sat Jan 23 16:38:15 2021 +0100 feat: Adding new options (options.allowDots) Adding new option/feature, options.allowDots that is used for skipping the sanitization of data that has .(dot). This can be useful for nested document quering for mongoDb: https://docs.mongodb.com/manual/tutorial/query-embedded-documents/ Creating new tests that include the new option Updating the documentation (README.md) file for the new option Adressing issue: #36 commit aec9249 Author: Blagoj <blagoj.petrov5@gmail.com> Date: Sat Jan 23 16:17:53 2021 +0100 feat: Adding new options (options.allowDots) Adding new option/feature, options.allowDots that is used for skipping the sanitization of data that has .(dot). This can be useful for nested document quering for mongoDb: https://docs.mongodb.com/manual/tutorial/query-embedded-documents/ Creating new tests that include the new option Updating the documentation (README.md) file for the new option Adressing issue: #36
fiznool · Jan 14, 2022 · 32c997b · 32c997b
1 parent 81c2eb5
commit 32c997b
Show file tree

Hide file tree

Showing 4 changed files with 858 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -37,6 +37,23 @@ app.use(
     replaceWith: '_',
   }),
 );
+
+// Or, to sanitize data that only contains $, without .(dot)
+// Can be useful for letting data pass that is meant for querying nested documents. NOTE: This may cause some problems on older versions of MongoDb
+// READ MORE: https://github.com/fiznool/express-mongo-sanitize/issues/36
+app.use(
+  mongoSanitize({
+    allowDots: true,
+  }),
+);
+
+// Both allowDots and replaceWith
+app.use(
+  mongoSanitize({
+    allowDots: true,
+    replaceWith: '_',
+  }),
+);
 ```
 
 ### `onSanitize`
@@ -85,8 +102,22 @@ mongoSanitize.sanitize(payload, {
   replaceWith: '_'
 });
 
+// Exclude sanitization of . (dot), only sanitize data that contains $. This may cause some problems on older versions of mongo db
+mongoSanitize.sanitize(payload, {
+  allowDots: true
+});
+
+// Both allowDots and replaceWith
+mongoSanitize.sanitize(payload, {
+  allowDots: true,
+  replaceWith: '_'
+});
+
 // Check if the payload has keys with prohibited characters
 const hasProhibited = mongoSanitize.has(payload);
+
+// Check if the payload has keys with prohibited characters (`.` is excluded). So if the payload only has `.` it will return false (since it doesn't see the data with `.` as a malicious data)
+const hasProhibited = mongoSanitize.has(payload, true);
 ```
 
 ## What?

diff --git a/index.d.ts b/index.d.ts
@@ -5,6 +5,7 @@ declare namespace ExpressMongoSanitize {
     replaceWith?: string;
     onSanitize?: (params: { key: string; req: Request }) => void;
     dryRun?: boolean;
+    allowDots?: boolean;
   }
 }
 
@@ -27,7 +28,10 @@ type Middleware = {
    * Check if the payload has keys with prohibited characters‘
    * @param target
    */
-  has(target: Record<string, unknown> | unknown[]): boolean;
+  has(
+    target: Record<string, unknown> | unknown[],
+    allowDots?: boolean,
+  ): boolean;
 };
 
 declare const ExpressMongoSanitize: Middleware & {

diff --git a/index.js b/index.js
@@ -1,12 +1,17 @@
 'use strict';
 
 const TEST_REGEX = /^\$|\./;
+const TEST_REGEX_WITHOUT_DOT = /^\$/;
 const REPLACE_REGEX = /^\$|\./g;
 
 function isPlainObject(obj) {
   return typeof obj === 'object' && obj !== null;
 }
 
+function getTestRegex(allowDots) {
+  return allowDots ? TEST_REGEX_WITHOUT_DOT : TEST_REGEX;
+}
+
 function withEach(target, cb) {
   (function act(obj) {
     if (Array.isArray(obj)) {
@@ -23,10 +28,12 @@ function withEach(target, cb) {
   })(target);
 }
 
-function has(target) {
+function has(target, allowDots) {
+  const regex = getTestRegex(allowDots);
+
   let hasProhibited = false;
   withEach(target, function (obj, val, key) {
-    if (TEST_REGEX.test(key)) {
+    if (regex.test(key)) {
       hasProhibited = true;
       return { shouldRecurse: false };
     } else {
@@ -38,17 +45,19 @@ function has(target) {
 }
 
 function _sanitize(target, options) {
+  const regex = getTestRegex(options.allowDots);
+
   let isSanitized = false;
   let replaceWith = null;
-  let dryRun = Boolean(options.dryRun);
-  if (!TEST_REGEX.test(options.replaceWith)) {
+  const dryRun = Boolean(options.dryRun);
+  if (!regex.test(options.replaceWith) && options.replaceWith !== '.') {
     replaceWith = options.replaceWith;
   }
 
   withEach(target, function (obj, val, key) {
     let shouldRecurse = true;
 
-    if (TEST_REGEX.test(key)) {
+    if (regex.test(key)) {
       isSanitized = true;
       // if dryRun is enabled, do not modify the target
       if (dryRun) {