Sanitization

Sanitization is an additional protection in my ORM system

Sanitization in my ORM provides protection against SQL injection and other potential vulnerabilities by cleaning input data before it is used in queries. To enable sanitization, you need to create an instance of DatabaseManager with the sanitizer: true parameter:

export const databaseManager = new DatabaseManager<DatabasesTypes.POSTGRES>({
    sanitizer: true,
});

The sanitizer is implemented through the Sanitizer class, which processes input data based on its type (string, number, or identifier). It uses various methods for data cleaning, including:

• Number Sanitization: Converts input data into numbers and checks their validity.

• Identifier Sanitization: Checks length, format, and the presence of reserved SQL words.

• Automatic Sanitization: Handles different data types such as HTML, XML, JSON, URLs, file paths, shell commands, and others.

Examples of Data Before and After Sanitization:

Data Before Sanitization:

const htmlInput = "<script>alert('XSS');</script>";
const sqlInput = "SELECT * FROM users WHERE name = 'admin'; DROP TABLE users;";
const pathInput = "../../etc/passwd";

Data After Sanitization:

const sanitizedHtml = Sanitizer.sanitize(htmlInput); // <script>alert('XSS');</script>
const sanitizedSql = Sanitizer.sanitize(sqlInput); // SELECT * FROM users WHERE name = 'admin';
const sanitizedPath = Sanitizer.sanitize(pathInput); // etc/passwd

Sanitization in my ORM helps keep queries safe by cleaning incoming data from unwanted characters and potential threats. It includes protection against SQL injections, XSS attacks and other types of vulnerabilities. This functionality is currently under development, so some bugs or flaws may be discovered.