fixed: allowedKeys issue

pariazar · Mar 23, 2024 · fa68d8d · fa68d8d
1 parent 32ff0f0
commit fa68d8d
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 10 deletions.
diff --git a/modules/index.js b/modules/index.js
@@ -13,6 +13,7 @@ const prepareSanitize = (
     noSqlLevel: 5,
     forbiddenTags: [],
     level,
+    allowedKeys: []
   }
 ) => {
   if (options.level) {
@@ -23,8 +24,8 @@ const prepareSanitize = (
     data = custom_sanitize.prepareSanitize(data, options);
   if (options.xss) data = xss_sanitize.prepareSanitize(data, options);
   if (options.noSql)
-    data = nosql_injection.prepareSanitize(data, options.noSqlLevel);
-  if (options.sql) data = sql_injection.prepareSanitize(data, options.sqlLevel);
+    data = nosql_injection.prepareSanitize(data, options);
+  if (options.sql) data = sql_injection.prepareSanitize(data, options);
 
   return data;
 };

diff --git a/modules/nosql_injection.js b/modules/nosql_injection.js
@@ -12,6 +12,17 @@ function noSQLSanitizer(input, level) {
   });
   return input;
 }
+
+function containsAllowedKey(item, allowedKeys) {
+  for (const key of allowedKeys) {
+    const regex = new RegExp(key.replace(/\./g, '\\.').replace(/\*/g, '.*').replace(/%/g, '.*'));
+    if (regex.test(item)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 const detectNoSqlInjection = (value, level = 5) => {
   const limits = mongoLimit.filter((item) => {
     if (item.level <= level) {
@@ -33,8 +44,14 @@ const detectNoSqlInjection = (value, level = 5) => {
   return result;
 }
 
-const sanitize = (data, level) => {
+const sanitize = (data, options) => {
+  if(!options?.level) options.level = 5;
+  const { level } = options;
+
   if (typeof data === "string") {
+    if(options?.allowedKeys?.includes(data)){
+      return data;
+    }
     return noSQLSanitizer(data, level);
   }
   if (Array.isArray(data)) {
@@ -51,6 +68,9 @@ const sanitize = (data, level) => {
   if (typeof data === "object" && data !== null) {
     Object.keys(data).forEach((key) => {
       const item = data[key];
+      if(options?.allowedKeys  && containsAllowedKey(item, options.allowedKeys)){
+        return data;
+      }
       if (typeof item === "string") {
         data[key] = noSQLSanitizer(item, level);
       } else if (Array.isArray(item) || typeof item === "object") {
@@ -65,8 +85,8 @@ const sanitize = (data, level) => {
   return data;
 };
 
-const prepareSanitize = (data, level = 5) => {
-  return sanitize(data, level);
+const prepareSanitize = (data, options) => {
+  return sanitize(data, options);
 };
 module.exports = {
   prepareSanitize,

diff --git a/modules/sql_injection.js b/modules/sql_injection.js
@@ -13,6 +13,16 @@ function hasSqlInjection(value, level) {
   return value;
 }
 
+function containsAllowedKey(item, allowedKeys) {
+  for (const key of allowedKeys) {
+    const regex = new RegExp(key.replace(/\./g, '\\.').replace(/\*/g, '.*').replace(/%/g, '.*'));
+    if (regex.test(item)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 const detectSqlInjection = (value, level = 5) => {
   const limits = sqlLimits.filter((item) => {
     if (item.level <= level) {
@@ -37,11 +47,17 @@ const detectSqlInjection = (value, level = 5) => {
   return result;
 };
 
-const sanitize = (data, level) => {
+const sanitize = (data, options) => {
+  if(!options?.level) options.level = 5;
+  const { level } = options;
+
   if (typeof data === "string") {
+    if(options?.allowedKeys?.includes(data)){
+      return data;
+    }
     return hasSqlInjection(data, level);
   }
-  if (Array.isArray(data)) {
+  if (Array.isArray( )) {
     return data.map((item) => {
       if (typeof item === "string") {
         return hasSqlInjection(item, level);
@@ -55,6 +71,9 @@ const sanitize = (data, level) => {
   if (typeof data === "object" && data !== null) {
     Object.keys(data).forEach((key) => {
       const item = data[key];
+      if(options?.allowedKeys && containsAllowedKey(item, options.allowedKeys)){
+        return data;
+      }
       if (typeof item === "string") {
         data[key] = hasSqlInjection(item, level);
       } else if (Array.isArray(item) || typeof item === "object") {
@@ -69,10 +88,10 @@ const sanitize = (data, level) => {
   return data;
 };
 
-const prepareSanitize = (data, level = 5) => {
-  return sanitize(data, level);
+const prepareSanitize = (data, options) => {
+  return sanitize(data, options);
 };
 module.exports = {
   prepareSanitize,
   detectSqlInjection,
-};
+};
diff --git a/modules/xss_sanitize.js b/modules/xss_sanitize.js
@@ -14,6 +14,16 @@ const initializeOptions = (options) => {
   };
 };
 
+function containsAllowedKey(item, allowedKeys) {
+  for (const key of allowedKeys) {
+    const regex = new RegExp(key.replace(/\./g, '\\.').replace(/\*/g, '.*').replace(/%/g, '.*'));
+    if (regex.test(item)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 const detectXss = (value) => {
   try {
     const input = value.length;
@@ -28,6 +38,9 @@ const detectXss = (value) => {
 
 const sanitize = (options, data) => {
   if (typeof data === "string") {
+    if(options?.allowedKeys?.includes(data)){
+      return data;
+    }
     return sanitizeHtml(data, options.sanitizerOptions);
   }
   if (Array.isArray(data)) {
@@ -46,6 +59,9 @@ const sanitize = (options, data) => {
       if (options.allowedKeys.includes(key)) {
         return;
       }
+      if(options?.allowedKeys && containsAllowedKey(data[key], options.allowedKeys)){
+        return data[key];
+      }
       const item = data[key];
       if (typeof item === "string") {
         data[key] = sanitizeHtml(item, options.sanitizerOptions);