diff --git a/lib/common.js b/lib/common.js index 13b193f..5e48c15 100644 --- a/lib/common.js +++ b/lib/common.js @@ -65,6 +65,17 @@ exports.checkLogin = (req, res, next) => { res.redirect('/admin/login'); }; +exports.mongoSanitize = (param) => { + if (param instanceof Object) { + for (const key in param) { + if (/^\$/.test(key)) { + delete param[key]; + } + } + } + return param; +}; + // Middleware to check for admin access for certain route exports.checkAccess = (req, res, next) => { const routeCheck = _.find(restrictedRoutes, {'route': req.route.path}); diff --git a/package.json b/package.json index 09eb5cb..fcf76cf 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "express-cart", - "version": "1.1.7", + "version": "1.1.8", "description": "A fully functioning Node.js shopping cart with Stripe, PayPal and Authorize.net payments.", "private": false, "scripts": { diff --git a/routes/admin.js b/routes/admin.js index db0aeb9..d487bbb 100644 --- a/routes/admin.js +++ b/routes/admin.js @@ -58,7 +58,7 @@ router.get('/admin/login', (req, res) => { router.post('/admin/login_action', (req, res) => { let db = req.app.db; - db.users.findOne({userEmail: req.body.email}, (err, user) => { + db.users.findOne({userEmail: common.mongoSanitize(req.body.email)}, (err, user) => { if(err){ res.status(400).json({message: 'A user with that email does not exist.'}); return; diff --git a/routes/customer.js b/routes/customer.js index cf16196..19a17f2 100644 --- a/routes/customer.js +++ b/routes/customer.js @@ -133,7 +133,7 @@ router.get('/admin/customers/filter/:search', common.restrict, (req, res, next) router.post('/customer/login_action', async (req, res) => { let db = req.app.db; - db.customers.findOne({email: req.body.loginEmail}, (err, customer) => { // eslint-disable-line + db.customers.findOne({email: common.mongoSanitize(req.body.loginEmail)}, (err, customer) => { // eslint-disable-line if(err){ // An error accurred return res.status(400).json({