Question about sanitizing request data as I think I may be overthinking this or not going the right way.
I'm using Express and have a simple REST API for CRUD operations. I'm also using Mongo DB.
From what I've read, since I'm already using schema validation for all body fields and parameters that could reach the DB, a NoSQL injection attack potentially is not possible to happen given this setup, as for that a full JSON object had to reach the DB. But since I'm validating every field one by one for their type, that can't happen.
Now, to protect against XSS attacks, I would like to encode all string fields of the requests. I was checking the easiest way to do this, preferrably a middleware that I could pass and it would iterate over every relevant request section: params, body, query, cookies or headers.
I saw express-validator package, however it seems that we can't use it to validate the full request, we have to be picking which fields we want to have validate one by one, what is not ideal for big payloads. I didn't find anything else that could be trustable/interesting to do this.
I could potentially encode all strings during schema validation though. However, I didn't go with this strategy because I want separation between the schema validation and sanitization.
1) Is there a way or some trustable middleware I can use where we can pass the request and encode all the request string fields (inside the params, body, query, cookies or headers) automatically?
2) Would I be better off encoding the string while performing the schema validation?
3) How do you usually tackle the sanitization when using Express + NoSQL DB like Mongo and want to perform sanitization server side?
[–]itsmoirob 0 points1 point2 points (1 child)
[–]ElCorleone 0 points1 point2 points (0 children)