express-mongo-sanitize icon indicating copy to clipboard operation
express-mongo-sanitize copied to clipboard

Published 20 hours ago verified publisher icon fiznool

Access `req` before sanitization

Open Zirafnik opened this issue 7 months ago • 0 comments

I want to access the req object with dirty values, before it is sanitized, so I can log the malicious request.

Right now, we get access to req in onSanitize function, which is run after the request is already cleaned. Perhaps a beforeSanitization (beforeSanitize?) function could be added, which is executed before the sanitation process, and after it is determined the request needs to be cleaned.

Right now this can be accomplished by running the middleware twice: once with dryRun: true option, and then again without it to clean the request. However, this is not optimal & should not be the case. If the middleware determines that the request needs sanitization, just execute beforeSanitize beforehand.

Alternatively, the onSanitize function could just get access to the old dirty req (instead of the new clean one) OR additionally get a new target parameter, which includes the sanitized data and its location in the tree.

Sanitization of objects, due to its recursive nature is very expensive so running the same middleware twice over the same object is ludicrous.

Related to #79, but I do NOT want to log every request like in the proposed answer, but only those determined malicious.

Zirafnik avatar Jul 17 '24 19:07 Zirafnik