In order to guard against query selector injections from a data object with unknown structure
Use mongo-sanitize to deeply sanitize via recursion:
const deepSanitize = (value) => { if(Array.isArray(value)){ value.forEach(elm=>deepSanitize(elm)) } if(typeof(value) === 'object'&& value !== null){ Object.values(value).forEach((elm)=>{ deepSanitize(elm) }) } return sanitize(value)}For example with sanitize(req.query) nested query selectors will not be removed:
const req = {} req.query = { _id : { $ne: 1 } } console.log(req.query)) // { _id: { '$ne': 1 } }console.log(sanitize(req.query)) // { _id: { '$ne': 1 } }Using deepSanitize(req.query) sanitized objects (including nested) are mutated:
console.log(deepSanitize(req.query)) // { _id: {} }console.log(req.query) // { _id: {} }Eliminate object mutation with {...req.query}:
console.log(deepSanitize({...req.query})) // { _id: {} }console.log(req.query) // { _id: { '$ne': 1 } }