Sanitising arbitrary JS object in Meteor method

Good evening everyone,

I am creating a tool, part of which is a JSON schema editor that will output an arbitrary JS object (that when stringified should be a valid JSON schema document). I would like to send this from client to server and then store it in MongoDB.

I intend to submit this with some separate method arguments like userId etc. which of course I would sanitise as string using the check package. I will also validate it on the backend to check it is a valid JSON schema document. But what else should I do from a security perspective to make sure that the object is safe to dump into MongoDB and then retrieve later? Is it only safe if stored as a string or is there some steps you could recommend to be able to safely store it as a document or subdocument without worrying about injection attacks etc.?

If you expect this object to vary a lot, better save it stringified and don’t let it be used in the backend for anything sensitive.

If you expect the object to have the same properties, or have only a handful of versions, I wholeheartedly recommend the excellent, which integrates closely (same author) to vaildate documents before being inserted into MongoDB, or before updating them. You could also use the latter to check your JSON at the point of entry (the Meteor method).

Edit - actually you should always validate what arrives via a Meteor method.
Edit 2 - the userId of the user calling the method should not be sent as an argument (it can be faked), if this is what you are talking about. Instead, in the method, on the server, use this.userId.

1 Like