From 52c74908137098059c6fbb6377191e8ca038a915 Mon Sep 17 00:00:00 2001 From: knoxiboy Date: Fri, 12 Jun 2026 22:56:00 +0530 Subject: [PATCH 1/2] fix(security): Secure API Routes against NoSQL Query Injection Attacks (#576) From a250e5e8a306f3fd35db239cbf647569aae6d4e2 Mon Sep 17 00:00:00 2001 From: knoxiboy Date: Fri, 12 Jun 2026 23:20:12 +0530 Subject: [PATCH 2/2] fix(security): add express-mongo-sanitize to prevent NoSQL query injection closes #576 --- backend/package.json | 1 + backend/src/index.js | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/backend/package.json b/backend/package.json index 4996ced..19b5261 100644 --- a/backend/package.json +++ b/backend/package.json @@ -18,6 +18,7 @@ "cors": "^2.8.6", "dotenv": "^17.4.2", "express": "^5.2.1", + "express-mongo-sanitize": "^2.2.0", "express-rate-limit": "^8.5.2", "google-auth-library": "^10.6.2", "helmet": "^8.1.0", diff --git a/backend/src/index.js b/backend/src/index.js index fa41d96..c9a3c30 100644 --- a/backend/src/index.js +++ b/backend/src/index.js @@ -7,6 +7,7 @@ import cookieParser from "cookie-parser"; import helmet from "helmet"; import rateLimit from "express-rate-limit"; import compression from "compression"; // <-- Clean & Simple Import +import mongoSanitize from "express-mongo-sanitize"; // FIX #576: NoSQL injection protection import path from "path"; import { fileURLToPath } from "url"; import crypto from "crypto"; @@ -46,6 +47,14 @@ app.use(helmet({ contentSecurityPolicy: false })); // GSSoC Issue #35 Fix app.disable("x-powered-by"); app.use(express.json({ limit: "5mb" })); +/** + * SECURITY MIDDLEWARE: NoSQL Injection Prevention (Fix #576) + * Strips MongoDB query operators ($where, $gt, $ne, etc.) from all incoming + * request bodies, query strings, and params — preventing attackers from + * injecting malicious operators like { "email": { "$gt": "" } }. + * replaceWith: '_' replaces dangerous keys with safe underscores. + */ +app.use(mongoSanitize({ replaceWith: "_" })); app.use(cookieParser()); // Must precede CSRF to parse incoming cookies /**