diff --git a/backend/package.json b/backend/package.json index 4996ced..19b5261 100644 --- a/backend/package.json +++ b/backend/package.json @@ -18,6 +18,7 @@ "cors": "^2.8.6", "dotenv": "^17.4.2", "express": "^5.2.1", + "express-mongo-sanitize": "^2.2.0", "express-rate-limit": "^8.5.2", "google-auth-library": "^10.6.2", "helmet": "^8.1.0", diff --git a/backend/src/index.js b/backend/src/index.js index fa41d96..c9a3c30 100644 --- a/backend/src/index.js +++ b/backend/src/index.js @@ -7,6 +7,7 @@ import cookieParser from "cookie-parser"; import helmet from "helmet"; import rateLimit from "express-rate-limit"; import compression from "compression"; // <-- Clean & Simple Import +import mongoSanitize from "express-mongo-sanitize"; // FIX #576: NoSQL injection protection import path from "path"; import { fileURLToPath } from "url"; import crypto from "crypto"; @@ -46,6 +47,14 @@ app.use(helmet({ contentSecurityPolicy: false })); // GSSoC Issue #35 Fix app.disable("x-powered-by"); app.use(express.json({ limit: "5mb" })); +/** + * SECURITY MIDDLEWARE: NoSQL Injection Prevention (Fix #576) + * Strips MongoDB query operators ($where, $gt, $ne, etc.) from all incoming + * request bodies, query strings, and params — preventing attackers from + * injecting malicious operators like { "email": { "$gt": "" } }. + * replaceWith: '_' replaces dangerous keys with safe underscores. + */ +app.use(mongoSanitize({ replaceWith: "_" })); app.use(cookieParser()); // Must precede CSRF to parse incoming cookies /**