mongo-secure 0.1.0__py3-none-any.whl

mongo_secure/__init__.py

@@ -0,0 +1,10 @@
+from .sanitizer import (
+    MONGO_OPERATOR_REPLACEMENTS,
+    replace_blocked_mongo_operators,
+    sanitize
+)
+
+
+__all__ = [
+
+]

mongo_secure/sanitizer.py

@@ -0,0 +1,262 @@
+import inspect
+
+from functools import wraps
+
+
+MONGO_OPERATOR_REPLACEMENTS = {
+    "$all",
+    "$elemMatch",
+    "$size",
+    "$bitsAllClear",
+    "$bitsAllSet",
+    "$bitsAnyClear",
+    "$bitsAnySet",
+    "$eq",
+    "$ne",
+    "$gt",
+    "$gte",
+    "$lt",
+    "$lte",
+    "$in",
+    "$nin",
+    "$exists",
+    "$type",
+    "$expr",
+    "$jsonSchema",
+    "$mod",
+    "$regex",
+    "$where",
+    "$and",
+    "$not",
+    "$nor",
+    "$or",
+    "$geoIntersects",
+    "$geoWithin",
+    "$near",
+    "$nearSphere",
+    "$meta",
+    "$slice",
+    "$currentDate",
+    "$inc",
+    "$min",
+    "$max",
+    "$mul",
+    "$rename",
+    "$set",
+    "$setOnInsert",
+    "$unset",
+    "$[]",
+    "$addToSet",
+    "$pop",
+    "$pull",
+    "$push",
+    "$pullAll",
+    "$each",
+    "$position",
+    "$sort",
+    "$bit",
+    "$text",
+    "$search",
+    "$comment",
+    "$options",
+    "$rand",
+    "$natural",
+    "$",
+    "$setField",
+    "$unsetField",
+    "$replaceRoot",
+    "$replaceWith",
+    "$match",
+    "$project",
+    "$addFields",
+    "$group",
+    "$limit",
+    "$skip",
+    "$lookup",
+    "$graphLookup",
+    "$unwind",
+    "$facet",
+    "$bucket",
+    "$bucketAuto",
+    "$count",
+    "$sortByCount",
+    "$sample",
+    "$unionWith",
+    "$documents",
+    "$densify",
+    "$fill",
+    "$geoNear",
+    "$indexStats",
+    "$listLocalSessions",
+    "$listSessions",
+    "$planCacheStats",
+    "$redact",
+    "$searchMeta",
+    "$setWindowFields",
+    "$collStats",
+    "$out",
+    "$merge",
+    "$abs",
+    "$add",
+    "$ceil",
+    "$divide",
+    "$exp",
+    "$floor",
+    "$ln",
+    "$log",
+    "$log10",
+    "$multiply",
+    "$pow",
+    "$round",
+    "$sqrt",
+    "$subtract",
+    "$trunc",
+    "$arrayElemAt",
+    "$arrayToObject",
+    "$concatArrays",
+    "$filter",
+    "$first",
+    "$firstN",
+    "$indexOfArray",
+    "$isArray",
+    "$last",
+    "$lastN",
+    "$map",
+    "$maxN",
+    "$minN",
+    "$objectToArray",
+    "$range",
+    "$reduce",
+    "$reverseArray",
+    "$sortArray",
+    "$zip",
+    "$cond",
+    "$ifNull",
+    "$switch",
+    "$cmp",
+    "$allElementsTrue",
+    "$anyElementTrue",
+    "$setDifference",
+    "$setEquals",
+    "$setIntersection",
+    "$setIsSubset",
+    "$setUnion",
+    "$concat",
+    "$dateFromString",
+    "$indexOfBytes",
+    "$indexOfCP",
+    "$ltrim",
+    "$regexFind",
+    "$regexFindAll",
+    "$regexMatch",
+    "$replaceOne",
+    "$replaceAll",
+    "$rtrim",
+    "$split",
+    "$strLenBytes",
+    "$strLenCP",
+    "$strcasecmp",
+    "$substr",
+    "$substrBytes",
+    "$substrCP",
+    "$toLower",
+    "$toString",
+    "$trim",
+    "$toUpper",
+    "$dateAdd",
+    "$dateDiff",
+    "$dateFromParts",
+    "$dateSubtract",
+    "$dateToParts",
+    "$dateToString",
+    "$dateTrunc",
+    "$dayOfMonth",
+    "$dayOfWeek",
+    "$dayOfYear",
+    "$hour",
+    "$isoDayOfWeek",
+    "$isoWeek",
+    "$isoWeekYear",
+    "$millisecond",
+    "$minute",
+    "$month",
+    "$second",
+    "$week",
+    "$year",
+    "$convert",
+    "$toBool",
+    "$toDate",
+    "$toDecimal",
+    "$toDouble",
+    "$toInt",
+    "$toLong",
+    "$toObjectId",
+    "$let",
+    "$literal",
+    "$function",
+    "$accumulator",
+    "$getField",
+    "$mergeObjects",
+    "$bsonSize",
+}
+
+
+def replace_blocked_mongo_operators(value):
+    """
+    basically just turns any mongo operator that's above into _OPERATION instead of $OPERATION
+    """
+    try:
+        if isinstance(value, dict):
+            cleaned = {}
+            for key, nested_value in value.items():
+                cleaned_key = replace_blocked_mongo_operators(key)
+                cleaned_value = replace_blocked_mongo_operators(nested_value)
+                cleaned[cleaned_key] = cleaned_value
+            return cleaned
+        if isinstance(value, list):
+            return [replace_blocked_mongo_operators(item) for item in value]
+        if isinstance(value, tuple):
+            return tuple(replace_blocked_mongo_operators(item) for item in value)
+        if isinstance(value, set):
+            return {replace_blocked_mongo_operators(item) for item in value}
+        if isinstance(value, str):
+            if value in MONGO_OPERATOR_REPLACEMENTS:
+                return value.replace("$", "_", 1)
+            return value
+        return value
+    except Exception:
+        return value
+
+
+def sanitize(*arg_names):
+    """
+    decorator that can be used on functions to take an argument name and replace the operators
+
+    for example:
+
+        @sanitize_mongo_args("name")
+        def hello_world(name):
+            print(f"hello {name}")
+
+       hello_world("$toInt") -> hello _toInt
+       hello_world("$dateFromParts") -> hello _dateFromParts
+    """
+    arg_names = set(arg_names)
+    def decorator(func):
+        sig = inspect.signature(func)
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            try:
+                bound = sig.bind_partial(*args, **kwargs)
+                bound.apply_defaults()
+
+                for name in arg_names:
+                    if name in bound.arguments:
+                        bound.arguments[name] = replace_blocked_mongo_operators(
+                            bound.arguments[name]
+                        )
+                return func(*bound.args, **bound.kwargs)
+            except Exception:
+                return None
+        return wrapper
+    return decorator

mongo_secure-0.1.0.dist-info/METADATA

@@ -0,0 +1,69 @@
+Metadata-Version: 2.4
+Name: mongo_secure
+Version: 0.1.0
+Summary: Sanitize MongoDB operator strings in selected function arguments.
+Author-email: Thomas Perkins <contact@perkinsfund.org>
+License: MIT
+Project-URL: Homepage, https://github.com/YOUR_USERNAME/mongo_secure
+Project-URL: Repository, https://github.com/YOUR_USERNAME/mongo_secure
+Project-URL: Issues, https://github.com/YOUR_USERNAME/mongo_secure/issues
+Keywords: mongodb,sanitize,decorator,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Typing :: Typed
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+
+# mongo_secure
+
+Sanitize selected function arguments by replacing MongoDB operators.
+
+## Installation
+
+```
+pip install mongo_secure
+```
+
+## Usage
+
+```python
+from mongo_secure import sanitize
+
+
+@sanitize("name", "place")
+def hello_world(name, place):
+    print(name)
+    print(place)
+
+hello_world("$toInt", "$gt")
+#<= _toInt
+#<= _gt
+```
+
+Nested objects are sanitized recursively
+
+```python
+from mongo_secure import replace_blocked_mongo_operators
+
+
+payload = {
+    "$set": {
+        "age": "$toInt",
+        "tags": ["safe", "$where"]
+    }
+}
+
+
+print(replace_blocked_mongo_operators(payload))
+#<= {"_set": {"age": "_toInt", "tags": ["safe", "_where"]}}
+```
+
+## License
+MIT

mongo_secure-0.1.0.dist-info/RECORD

@@ -0,0 +1,6 @@
+mongo_secure/__init__.py,sha256=P0IO5TyGHiGk8BJMBpOSzccUOdO9nHgnvApuhOJ5gSU,137
+mongo_secure/sanitizer.py,sha256=TuEgf8f_fTcN0wWGHiPBRmwD3DwKEMm72jS8dHX8ysE,5564
+mongo_secure-0.1.0.dist-info/METADATA,sha256=pF9QJn-7BrbyGPlWTosBiooZiZo7Bid7RamwyIqdssA,1733
+mongo_secure-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+mongo_secure-0.1.0.dist-info/top_level.txt,sha256=Y-zAbzxsZAv6oc4arw0HeN0OY8X8OM735mj61LH-6oI,13
+mongo_secure-0.1.0.dist-info/RECORD,,

mongo_secure-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

mongo_secure-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+mongo_secure