diff --git a/index.js b/index.js index 1d57357..3ec7553 100644 --- a/index.js +++ b/index.js @@ -100,6 +100,20 @@ function sanitize(target, options = {}) { return _sanitize(target, options).target; } +function deepCopy(obj) { + if (obj === null || typeof obj !== 'object') { + return obj; + } + + if (Array.isArray(obj)) { + return obj.map(deepCopy); + } + + return Object.fromEntries( + Object.entries(obj).map(([key, value]) => [key, deepCopy(value)]), + ); +} + /** * @param {{replaceWith?: string, onSanitize?: function, dryRun?: boolean}} options * @returns {function} @@ -107,7 +121,7 @@ function sanitize(target, options = {}) { function middleware(options = {}) { const hasOnSanitize = typeof options.onSanitize === 'function'; return function (req, res, next) { - ['body', 'params', 'headers', 'query'].forEach(function (key) { + ['body', 'params', 'headers'].forEach(function (key) { if (req[key]) { const { target, isSanitized } = _sanitize(req[key], options); req[key] = target; @@ -119,6 +133,24 @@ function middleware(options = {}) { } } }); + + if (req.query) { + const sanitizedQuery = _sanitize(deepCopy(req.query), options); + if (sanitizedQuery.isSanitized) { + Object.defineProperty(req, 'query', { + value: sanitizedQuery.target, + writable: false, + configurable: true, + enumerable: true, + }); + if (hasOnSanitize) { + options.onSanitize({ + req, + key: 'query', + }); + } + } + } next(); }; } diff --git a/package-lock.json b/package-lock.json index 69b2e12..7358a4e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "express-mongo-sanitize", - "version": "2.1.0", + "version": "2.2.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "express-mongo-sanitize", - "version": "2.1.0", + "version": "2.2.0", "license": "MIT", "devDependencies": { "@types/express": "^4.17.13",