feat(express): support for the body-parser module

Author: gergelyke

README.md

@@ -31,12 +31,18 @@ app.use(protect.express.xss())
 
 Returns an Express middleware, which checks for SQL injections.
 
-* `options.body`: if this options is set, the middleware will check for request bodies - options passed here are passed to the `raw-body` module
+* `options.body`: if this options is set (`true`), the middleware will check for request bodies as well
+  * default: `false`
+  * prerequisite: you must have the [body-parser](https://github.com/expressjs/body-parser) module used before adding the protect middleware
 * `options.loggerFunction`: you can provide a logger function for the middleware to log attacks
+  * default: `noop`
 
 #### `protect.express.xss([options])`
 
 Returns an Express middleware, which checks for XSS attacks.
 
-* `options.body`: if this options is set, the middleware will check for request bodies - options passed here are passed to the `raw-body` module
+* `options.body`: if this options is set (`true`), the middleware will check for request bodies
+  * default: `false`
+  * prerequisite: you must have the [body-parser](https://github.com/expressjs/body-parser) module used before adding the protect middleware
 * `options.loggerFunction`: you can provide a logger function for the middleware to log attacks
+  * default: `noop`

lib/express/index.js

@@ -1,13 +1,21 @@
 'use strict'
 
-const rawbody = require('raw-body')
 const rules = require('../rules')
 
+function getBodyAsString (body) {
+  if (typeof body === 'object') {
+    return JSON.stringify(body)
+  } else if (Buffer.isBuffer(body)) {
+    return body.toString('utf-8')
+  }
+
+  return body
+}
+
 function sqlInjection (options = {}) {
   const { loggerFunction = noop } = options
 
   return (request, response, next) => {
-    request._protect = request._protect || {}
     // return 403 if SQL injection found
     if (rules.isSqlInjection(request.originalUrl)) {
       loggerFunction('sql-injection', {
@@ -17,31 +25,15 @@ function sqlInjection (options = {}) {
     }
 
     if (options.body) {
-      if (request._protect.body) {
-        if (rules.isXss(request._protect.body)) {
-          loggerFunction('xss', {
-            body: request._protect.body
-          })
-          return response.sendStatus(403)
-        }
-        return next()
+      const body = getBodyAsString(request.body)
+
+      if (rules.isSqlInjection(body)) {
+        loggerFunction('sql-injection', {
+          body
+        })
+        return response.sendStatus(403)
       }
-      return rawbody(request, Object.assign({}, options.body, {
-        encoding: 'utf-8'
-      }))
-      .then((body) => {
-        request._protect.body = body
-        if (rules.isSqlInjection(body)) {
-          loggerFunction('sql-injection', {
-            body
-          })
-          return response.sendStatus(403)
-        }
-        return next()
-      })
-      .catch((error) => {
-        next(error)
-      })
+      return next()
     }
 
     return next()
@@ -52,7 +44,6 @@ function xss (options = {}) {
   const { loggerFunction = noop } = options
 
   return (request, response, next) => {
-    request._protect = request._protect || {}
     // return 403 if XSS found
     if (rules.isXss(request.originalUrl)) {
       loggerFunction('xss', {
@@ -62,31 +53,13 @@ function xss (options = {}) {
     }
 
     if (options.body) {
-      if (request._protect.body) {
-        if (rules.isXss(request._protect.body)) {
-          loggerFunction('xss', {
-            body: request._protect.body
-          })
-          return response.sendStatus(403)
-        }
-        return next()
+      const body = getBodyAsString(request.body)
+      if (rules.isXss(body)) {
+        loggerFunction('xss', {
+          body
+        })
+        return response.sendStatus(403)
       }
-      return rawbody(request, Object.assign({}, options.body, {
-        encoding: 'utf-8'
-      }))
-      .then((body) => {
-        request._protect.body = body
-        if (rules.isXss(body)) {
-          loggerFunction('xss', {
-            body
-          })
-          return response.sendStatus(403)
-        }
-        return next()
-      })
-      .catch((error) => {
-        next(error)
-      })
     }
 
     return next()

lib/express/index.spec.js

@@ -2,6 +2,8 @@
 
 const request = require('supertest')
 const express = require('express')
+const bodyParser = require('body-parser')
+
 const lib = require('../')
 
 describe('The express object', () => {
@@ -32,16 +34,22 @@ describe('The express object', () => {
 
     it('can block requests based on the body payload', () => {
       const app = express()
+      app.use(bodyParser.urlencoded({
+        extended: true
+      }))
       app.use(lib.express.sqlInjection({
-        body: {}
+        body: true
       }))
       app.post('/login', (req, res) => {
         res.send('ok')
       })
 
       return request(app)
         .post('/login')
-        .field('password', '; OR 1=1')
+        .type('form')
+        .send({
+          password: 'passowrd\' OR 1=1'
+        })
         .expect(403)
     })
   })
@@ -73,38 +81,42 @@ describe('The express object', () => {
 
     it('can block requests based on the body payload', () => {
       const app = express()
+      app.use(bodyParser.json())
       app.use(lib.express.xss({
-        body: {}
+        body: true
       }))
       app.post('/login', (req, res) => {
         res.send('ok')
       })
 
       return request(app)
         .post('/login')
-        .field('password', '<script>')
+        .send({
+          password: '<script>'
+        })
         .expect(403)
     })
   })
 
   describe('together', () => {
     it('works', () => {
       const app = express()
+      app.use(bodyParser.json())
       app.use(lib.express.xss({
-        body: {}
+        body: true
       }))
       app.use(lib.express.sqlInjection({
-        body: {
-          limit: '1mb'
-        }
+        body: true
       }))
       app.post('/login', (req, res) => {
         res.send('ok')
       })
 
       return request(app)
         .post('/login')
-        .field('password', '<script>')
+        .send({
+          password: '<script>'
+        })
         .expect(403)
     })
   })

package.json

@@ -15,6 +15,7 @@
   "author": "",
   "license": "MIT",
   "devDependencies": {
+    "body-parser": "1.17.1",
     "chai": "3.5.0",
     "co-mocha": "1.2.0",
     "eslint": "3.19.0",
@@ -29,8 +30,5 @@
     "sinon-chai": "2.10.0",
     "supertest": "3.0.0",
     "traverse": "0.6.6"
-  },
-  "dependencies": {
-    "raw-body": "2.2.0"
   }
 }