From 3d7c135b65ed695728c46aaecbe85f64886b7396 Mon Sep 17 00:00:00 2001 From: Leonardo Zanivan Date: Tue, 17 Dec 2019 11:42:04 -0300 Subject: [PATCH] Ignore '$' attribute (used by xml2js parser) --- dist/Shield.js | 2 +- src/Shield.ts | 2 +- test/Shield.test.ts | 11 +++++++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/dist/Shield.js b/dist/Shield.js index 4fdb6bc..992d710 100644 --- a/dist/Shield.js +++ b/dist/Shield.js @@ -6,7 +6,7 @@ class Shield { static traverse(obj, opts) { let error; for (const k in obj) { - if (opts.mongo && Utils_1.default.isString(k) && k.indexOf('$') === 0) { + if (opts.mongo && Utils_1.default.isString(k) && k.indexOf('$') === 0 && k.length > 1) { error = new ShieldError_1.default('Mongo $ injection found', 'mongo_error', obj); break; } diff --git a/src/Shield.ts b/src/Shield.ts index 61c91bf..04d7068 100644 --- a/src/Shield.ts +++ b/src/Shield.ts @@ -10,7 +10,7 @@ export class Shield { private static traverse(obj: any, opts: ShieldOptions): ShieldError | undefined { let error; for (const k in obj) { - if (opts.mongo && Utils.isString(k) && k.indexOf('$') === 0) { + if (opts.mongo && Utils.isString(k) && k.indexOf('$') === 0 && k.length > 1) { error = new ShieldError('Mongo $ injection found', 'mongo_error', obj); break; } diff --git a/test/Shield.test.ts b/test/Shield.test.ts index 29ffbde..98ac156 100644 --- a/test/Shield.test.ts +++ b/test/Shield.test.ts @@ -130,6 +130,17 @@ describe('Shield', () => { }); }); + it('should not block "$" attribute', (done) => { + const payload = { + $: { + id: 1, + }, + }; + shield.evaluate(payload, { + mongo: true, + }, done); + }); + it('should not block __proto__ object', (done) => { const payload = JSON.parse('{ "__proto__": { "admin": true } }'); shield.evaluate(payload, {