feat!: support Express 5

BREAKING CHANGE: Must use expressApp.set('query parser', 'extended') to
parse and sanitize nested query params

Author: Victor Xu

.gitignore

@@ -1,5 +1,8 @@
 # Created by https://www.gitignore.io/api/node
 
+### Dev ###
+app.js
+
 ### Node ###
 # Logs
 logs

README.md

@@ -1,6 +1,8 @@
 # Express Mongo Sanitize
 
-Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
+Express 5.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
+
+For Express 4.x please use v2.2 of this package.
 
 [![Build Status](https://github.com/fiznool/express-mongo-sanitize/workflows/Node.js%20CI/badge.svg)](https://github.com/fiznool/express-mongo-sanitize/actions/workflows/nodejs.yml)
 [![npm version](https://img.shields.io/npm/v/express-mongo-sanitize)](https://www.npmjs.com/package/express-mongo-sanitize)
@@ -42,7 +44,7 @@ const bodyParser = require('body-parser');
 const mongoSanitize = require('express-mongo-sanitize');
 
 const app = express();
-
+app.set('query parser', 'extended');
 app.use(bodyParser.urlencoded({ extended: true }));
 app.use(bodyParser.json());
 
@@ -110,6 +112,24 @@ app.use(
 );
 ```
 
+### Sanitizing Nested Objects
+
+To sanitize nested objects in query strings, such as `/query?username[$gt]=foo&username[dotted.data]=some_data`, ensure that Express' `query parser` option is set to `extended`. This helps protect against nested query injection attacks through query parameters.
+
+If `replaceWith` is not set, the sanitized query parameter will appear as:
+
+```json
+{ "username": {} }
+```
+
+However, if using Express v5's default `simple` query parser, the query parameter will remain as:
+
+```json
+{ "username[$gt]": "foo" }
+```
+
+For sanitizing nested objects in the request body, configure `bodyParser.urlencoded({ extended: true })`.
+
 ### Node Modules API
 
 You can also bypass the middleware and use the module directly:
@@ -148,6 +168,10 @@ const hasProhibited = mongoSanitize.has(payload);
 const hasProhibited = mongoSanitize.has(payload, true);
 ```
 
+### `req.query` Being Readonly in Express v5
+
+`req.query` is designed to be read only in Express v5; however, this middleware modifies `req.query`, which might be unexpected for some users.
+
 ## Contributing
 
 PRs are welcome! Please add test coverage for any new features or bugfixes, and make sure to run `npm run prettier` before submitting a PR to ensure code consistency.

index.js

@@ -107,7 +107,7 @@ function sanitize(target, options = {}) {
 function middleware(options = {}) {
   const hasOnSanitize = typeof options.onSanitize === 'function';
   return function (req, res, next) {
-    ['body', 'params', 'headers', 'query'].forEach(function (key) {
+    ['body', 'params', 'headers'].forEach(function (key) {
       if (req[key]) {
         const { target, isSanitized } = _sanitize(req[key], options);
         req[key] = target;
@@ -119,6 +119,24 @@ function middleware(options = {}) {
         }
       }
     });
+
+    if (req.query) {
+      const { target, isSanitized } = _sanitize(req.query, options);
+      if (isSanitized) {
+        Object.defineProperty(req, 'query', {
+          value: target,
+          writable: false,
+          configurable: true,
+          enumerable: true,
+        });
+        if (hasOnSanitize) {
+          options.onSanitize({
+            req,
+            key: 'query',
+          });
+        }
+      }
+    }
     next();
   };
 }