sanitize() Only Strips Top-Level $-Prefixed Keys — NoSQL Injection Risk
File: input.validation.js:L287-L295
module.exports.sanitize = (obj) => {
const clean = {};
for (const key in obj) {
if (!key.startsWith("$")) {
clean[key] = obj[key]; // Here Nested objects with $ keys are NOT sanitized
}
}
return clean;
};
If a user sends { "profile": { "$gt": "" } }, the nested $gt operator passes through unsanitized. This could enable NoSQL injection in nested update operations.
sanitize()Only Strips Top-Level $-Prefixed Keys — NoSQL Injection RiskFile: input.validation.js:L287-L295
If a user sends
{ "profile": { "$gt": "" } }, the nested$gtoperator passes through unsanitized. This could enable NoSQL injection in nested update operations.