fix(security): prevent nested NoSQL injection in sanitize()

[NAYAMATVISION]

Summary

This PR fixes a NoSQL injection vulnerability in the sanitize() utility by recursively removing dangerous MongoDB operator keys from nested objects and arrays.

Changes Made

• Added recursive sanitization for nested objects

• Added array traversal support

• Blocked dangerous keys:

  • $-prefixed MongoDB operators
  • __proto__
  • constructor
  • prototype

• Preserved backward compatibility for normal user payloads

Security Impact

Previously, nested MongoDB operators such as:

{
  "profile": {
    "$gt": ""
  }
}

could bypass sanitization and potentially lead to NoSQL injection in update operations.

This PR ensures dangerous keys are removed at all nesting levels.

Testing

Tested locally with:

• top-level MongoDB operators
• nested operators
• deeply nested payloads
• arrays containing malicious objects
• prototype pollution attempts
• normal user payload preservation

Verified that malicious keys are removed while legitimate data remains unaffected.

Summary by CodeRabbit

• Bug Fixes
  • Improved input sanitization to recursively cleanse nested objects and arrays.
  • Broadened blocking of dangerous keys (including prototype-related keys and keys starting with $) to prevent prototype-pollution vectors.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4e2c976e-c795-47d7-b28e-d2cc01b338c4

📥 Commits

Reviewing files that changed from the base of the PR and between 38a2170 and cef0e86.

📒 Files selected for processing (1)

• packages/common/src/utils/input.validation.js

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/common/src/utils/input.validation.js

---

📝 Walkthrough

Walkthrough

The sanitize function was changed from top-level-only filtering to a recursive sanitizer that omits dangerous keys (__proto__, constructor, prototype) and any keys starting with $ in nested objects and arrays.

Changes

Input sanitization security

Layer / File(s)	Summary
Recursive sanitizer with prototype pollution defense packages/common/src/utils/input.validation.js	The sanitize function replaces its top-level-only filtering with recursive traversal that blocks prototype-pollution attack vectors (__proto__, constructor, prototype) and dangerous keys starting with $ throughout nested object and array structures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A rabbit hops through input fields with care,
Blocking __proto__ tricks hiding there,
Recursion guards each nested layer deep,
No dangerous keys shall sneak a peep,
Sanitized data, safe and sound to share!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and clearly describes the main security fix: preventing nested NoSQL injection in the sanitize() function through recursive sanitization.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/common/src/utils/input.validation.js`:
- Around line 286-287: sanitize currently returns arrays unchanged, allowing
root-array payloads like [{"$gt":""}] to bypass filtering; update sanitize (the
sanitize function) to detect when obj is an Array at the top-level and instead
return a new array with sanitize applied to each element (recursively) so array
payloads are sanitized rather than short-circuited; ensure primitives and null
still return unchanged and that the implementation avoids mutating the original
objects.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 225f8e20-82f5-425b-8692-33a0e47fbf79

📥 Commits

Reviewing files that changed from the base of the PR and between f04b600 and 38a2170.

📒 Files selected for processing (1)

• packages/common/src/utils/input.validation.js

[NAYAMATVISION]

Good catch — root-level array payloads were bypassing sanitization due to the early array return condition.

Updated the implementation to recursively sanitize root arrays as well and verified the fix with additional test coverage for array payloads.

[yash-pouranik]

Hello @NAYAMATVISION
can u please resolve the merge conflict in this file - packages/common/src/utils/input.validation.js

[yash-pouranik]

your branch is 300+ commits behind the main

[NAYAMATVISION]

The branch is based on the latest upstream main commit I had locally when the fix was implemented. The “305 commits behind” message is showing because my fork itself is not fully synced with the upstream repository yet. The PR only contains the intended security-related commits for the sanitize() fix, and I’ve also addressed the review feedback regarding root-level array payload sanitization.

…

On Sun, May 17, 2026 at 12:54 PM Yash Pouranik ***@***.***> wrote: *yash-pouranik* left a comment (geturbackend/urBackend#173) <#173 (comment)> your branch is 300+ commits behind the main image.png (view on web) <https://github.com/user-attachments/assets/3dba6ce4-ec8c-4096-9f2e-af7b66f1dfce> — Reply to this email directly, view it on GitHub <#173 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BOHCYRP737MYDNHG5FML2KD43FSMRAVCNFSM6AAAAACZBEYSGOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DINRZG4ZDCOJXG4> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[yash-pouranik]

can u pelase resolve merge conflict and then commit again?

[yash-pouranik]

Thank you for the PR @NAYAMATVISION
This was really nice implementation for no sql injection.