genediazjr / disinfect Goto Github PK

View Code? Open in Web Editor NEW

21.0 3.0 9.0 131 KB

Request query, payload, and params sanitization for Hapi

License: MIT License

JavaScript 100.00%

disinfect hapi caja

disinfect's Introduction

disinfect

Hapi plugin to apply Google's Caja HTML Sanitizer on route query, payload, and params.

Capable for custom sanitization and per-route configuration.
Can also be used for input formatting using the custom sanitizer option.
Can be disabled per route.

Usage

const registerPlugins = async (server) => Promise.all([
    server.register({
        plugin: require('disinfect'),
        options: {
            disinfectQuery: true,
            disinfectParams: true,
            disinfectPayload: true
        }
    })
]);

registerPlugins(server)
    .then(() => {
        // ...
    })
    .catch((err) => {
        // ...
    })

Glue manifest

register: {
    plugins: [
        {
            plugin: require('disinfect'),
            options: {
                disinfectQuery: true,
                disinfectParams: true,
                disinfectPayload: true
            }
        }
    ]
}

Options

deleteEmpty - remove empty query or payload keys.
deleteWhitespace - remove whitespace query, payload, or params keys.
disinfectQuery - sanitize query strings.
disinfectParams - sanitize url params.
disinfectPayload - sanitize payload.
genericSanitizer - custom synchronous function to do the sanitization of query, payload, and params.
querySanitizer - custom synchronous function to do the sanitization of query strings.
paramsSanitizer - custom synchronous function to do the sanitization of url params.
payloadSanitizer - custom synchronous function to do the sanitization of payload.

deleteEmpty and deleteWhitespace defaults to false.

disinfectQuery, disinfectParams, and disinfectPayload defaults to false. If set to true, object will be passed to caja first before custom sanitizers.

dirtyObject ->`Caja` sanitizer -> `genericSanitizer` -> `query-`, `params-`, or `payload-` sanitizer -> deleteWhitespace -> deleteEmpty -> cleanObject.

genericSanitizer, querySanitizer, paramsSanitizer, and payloadSanitizer should be in the following format:

const customSanitizer = (dirtyObj) => {
    // ...
    return cleanObj;
}

All options can be passed on a per-route basis. Route options overrides server options.

// example
{
    path: '/',
    method: 'get',
    handler: (request, reply) => {
        ...
    },
    options: {
        plugins: {
            disinfect: {
                disinfectQuery: true,
                disinfectParams: false,
                disinfectPayload: true
            }
        }
    }
}

Disable on a route.

{
    path: '/',
    method: 'get',
    handler: (request, reply) => {
        ...
    },
    options: {
        plugins: {
            disinfect: false
        }
    }
}

Contributing

Include 100% test coverage
Follow the Hapi coding conventions
Submit an issue first for significant changes.

Credits

hapi-sanitize-payload - Hapi plugin to sanitize the request payload
Caja-HTML-Sanitizer - Bundles Google Caja's HTML Sanitizer within a npm installable node.js module

disinfect's People

Contributors

Stargazers

Watchers

Forkers

wardormeur acidburn0zzz defra ekawas diego-deriv theinfinity007 treenity

disinfect's Issues

Disinfect giving "TypeError: Cannot assign to read only property '0' of string" during sanitation

I am using hapi server and I want to use joi header validation( for content-type: 'application/json') in my PUT method.

The problem comes when the user sends a valid json in payload and sends 'content-type' header with value 'text/css' or 'text/javascript'. On postAuth this payload as a stringified string goes to disinfect and it is throwing error.

TypeError: Cannot assign to read only property '0' of string

Because of this the request in not reaching to the joi validation, which is present at the route level.

It can be one of the edge cases. Ideally the purpose of disinfect is the sanitation of the request data and should not throw error.

I am also attaching the request curl

curl --location --request PUT 'http://localhost:3000/blogs/b1' \ --header 'Content-Type: text/css' \ --data-raw '{ "text1": "test a", "text2": "test b" }'

"error": { "code": "Internal Server Error", "message": "An internal server error occurred", "statusCode": 500, "trace": "TypeError: Cannot assign to read only property '0' of string '{ \"text1\": \"test a\", \"text2\": \"test b\" }'\n at Object.internals.sanitize (/Users/infinity/Desktop/myAppService/node_modules/disinfect/lib/index.js:37:26)\n at Object.internals.disinfect (/Users/infinity/Desktop/myAppService/node_modules/disinfect/lib/index.js:75:34)\n at /Users/infinity/Desktop/myAppService/node_modules/disinfect/lib/index.js:137:45\n at exports.Manager.execute (/Users/infinity/Desktop/myAppService/node_modules/@hapi/hapi/lib/toolkit.js:57:29)\n at Request._invoke (/Users/infinity/Desktop/myAppService/node_modules/@hapi/hapi/lib/request.js:391:55)\n at Request._lifecycle (/Users/infinity/Desktop/myAppService/node_modules/@hapi/hapi/lib/request.js:364:86)\n at processTicksAndRejections (internal/process/task_queues.js:97:5)\n at async Request._execute (/Users/infinity/Desktop/myAppService/node_modules/@hapi/hapi/lib/request.js:273:9)" }

Fix @hapi deprecations

The following deprecations are present:

warning disinfect > [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
warning disinfect > [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
warning disinfect > joi > [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
warning disinfect > joi > [email protected]: This module has moved and is now available at @hapi/topo. Please update your dependencies as this version is no longer maintained an may contain bugs and security issues.
warning disinfect > joi > topo > [email protected]: This module has moved and is now available at @hapi/hoek. Please update your dependencies as this version is no longer maintained an may contain bugs and security issues.```

Multipart form malformed object

Referring to hapijs/hapi#771

The returned result is malformed somewhere when setting output to stream and parse to true

Does not support Hapi 17

Hi, I have an outstanding pull request that upgrades this to HAPI-17

disinfectPayload cast all my arrays into strings

Hi,

I was testing this plugin to sanitize my payload. However is seems like any array contained in my payload is cast into a string.
Example payload :
{ "text1": "test a", "text2": "test b", "array": [ { "text3": "test c", "text4": "test d" }, { "text3": "test e", "text4": "test f" } ] }

Result :
{"text1":"test a","text2":"test b","array":"[object Object],[object Object]"}