mongo-secure 0.1.0__tar.gz

mongo_secure-0.1.0/PKG-INFO

@@ -0,0 +1,69 @@
+Metadata-Version: 2.4
+Name: mongo_secure
+Version: 0.1.0
+Summary: Sanitize MongoDB operator strings in selected function arguments.
+Author-email: Thomas Perkins <contact@perkinsfund.org>
+License: MIT
+Project-URL: Homepage, https://github.com/YOUR_USERNAME/mongo_secure
+Project-URL: Repository, https://github.com/YOUR_USERNAME/mongo_secure
+Project-URL: Issues, https://github.com/YOUR_USERNAME/mongo_secure/issues
+Keywords: mongodb,sanitize,decorator,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Typing :: Typed
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+
+# mongo_secure
+
+Sanitize selected function arguments by replacing MongoDB operators.
+
+## Installation
+
+```
+pip install mongo_secure
+```
+
+## Usage
+
+```python
+from mongo_secure import sanitize
+
+
+@sanitize("name", "place")
+def hello_world(name, place):
+    print(name)
+    print(place)
+
+hello_world("$toInt", "$gt")
+#<= _toInt
+#<= _gt
+```
+
+Nested objects are sanitized recursively
+
+```python
+from mongo_secure import replace_blocked_mongo_operators
+
+
+payload = {
+    "$set": {
+        "age": "$toInt",
+        "tags": ["safe", "$where"]
+    }
+}
+
+
+print(replace_blocked_mongo_operators(payload))
+#<= {"_set": {"age": "_toInt", "tags": ["safe", "_where"]}}
+```
+
+## License
+MIT

mongo_secure-0.1.0/README.md

@@ -0,0 +1,46 @@
+# mongo_secure
+
+Sanitize selected function arguments by replacing MongoDB operators.
+
+## Installation
+
+```
+pip install mongo_secure
+```
+
+## Usage
+
+```python
+from mongo_secure import sanitize
+
+
+@sanitize("name", "place")
+def hello_world(name, place):
+    print(name)
+    print(place)
+
+hello_world("$toInt", "$gt")
+#<= _toInt
+#<= _gt
+```
+
+Nested objects are sanitized recursively
+
+```python
+from mongo_secure import replace_blocked_mongo_operators
+
+
+payload = {
+    "$set": {
+        "age": "$toInt",
+        "tags": ["safe", "$where"]
+    }
+}
+
+
+print(replace_blocked_mongo_operators(payload))
+#<= {"_set": {"age": "_toInt", "tags": ["safe", "_where"]}}
+```
+
+## License
+MIT

mongo_secure-0.1.0/pyproject.toml

@@ -0,0 +1,38 @@
+[build-system]
+requires = ["setuptools>=69", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "mongo_secure"
+version = "0.1.0"
+description = "Sanitize MongoDB operator strings in selected function arguments."
+readme = "README.md"
+requires-python = ">=3.9"
+license = { text = "MIT" }
+authors = [
+  { name = "Thomas Perkins", email = "contact@perkinsfund.org" }
+]
+keywords = ["mongodb", "sanitize", "decorator", "security"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: MIT License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.9",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Typing :: Typed"
+]
+
+[project.urls]
+Homepage = "https://github.com/YOUR_USERNAME/mongo_secure"
+Repository = "https://github.com/YOUR_USERNAME/mongo_secure"
+Issues = "https://github.com/YOUR_USERNAME/mongo_secure/issues"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

mongo_secure-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

mongo_secure-0.1.0/src/mongo_secure/__init__.py

@@ -0,0 +1,10 @@
+from .sanitizer import (
+    MONGO_OPERATOR_REPLACEMENTS,
+    replace_blocked_mongo_operators,
+    sanitize
+)
+
+
+__all__ = [
+
+]

mongo_secure-0.1.0/src/mongo_secure/sanitizer.py

@@ -0,0 +1,262 @@
+import inspect
+
+from functools import wraps
+
+
+MONGO_OPERATOR_REPLACEMENTS = {
+    "$all",
+    "$elemMatch",
+    "$size",
+    "$bitsAllClear",
+    "$bitsAllSet",
+    "$bitsAnyClear",
+    "$bitsAnySet",
+    "$eq",
+    "$ne",
+    "$gt",
+    "$gte",
+    "$lt",
+    "$lte",
+    "$in",
+    "$nin",
+    "$exists",
+    "$type",
+    "$expr",
+    "$jsonSchema",
+    "$mod",
+    "$regex",
+    "$where",
+    "$and",
+    "$not",
+    "$nor",
+    "$or",
+    "$geoIntersects",
+    "$geoWithin",
+    "$near",
+    "$nearSphere",
+    "$meta",
+    "$slice",
+    "$currentDate",
+    "$inc",
+    "$min",
+    "$max",
+    "$mul",
+    "$rename",
+    "$set",
+    "$setOnInsert",
+    "$unset",
+    "$[]",
+    "$addToSet",
+    "$pop",
+    "$pull",
+    "$push",
+    "$pullAll",
+    "$each",
+    "$position",
+    "$sort",
+    "$bit",
+    "$text",
+    "$search",
+    "$comment",
+    "$options",
+    "$rand",
+    "$natural",
+    "$",
+    "$setField",
+    "$unsetField",
+    "$replaceRoot",
+    "$replaceWith",
+    "$match",
+    "$project",
+    "$addFields",
+    "$group",
+    "$limit",
+    "$skip",
+    "$lookup",
+    "$graphLookup",
+    "$unwind",
+    "$facet",
+    "$bucket",
+    "$bucketAuto",
+    "$count",
+    "$sortByCount",
+    "$sample",
+    "$unionWith",
+    "$documents",
+    "$densify",
+    "$fill",
+    "$geoNear",
+    "$indexStats",
+    "$listLocalSessions",
+    "$listSessions",
+    "$planCacheStats",
+    "$redact",
+    "$searchMeta",
+    "$setWindowFields",
+    "$collStats",
+    "$out",
+    "$merge",
+    "$abs",
+    "$add",
+    "$ceil",
+    "$divide",
+    "$exp",
+    "$floor",
+    "$ln",
+    "$log",
+    "$log10",
+    "$multiply",
+    "$pow",
+    "$round",
+    "$sqrt",
+    "$subtract",
+    "$trunc",
+    "$arrayElemAt",
+    "$arrayToObject",
+    "$concatArrays",
+    "$filter",
+    "$first",
+    "$firstN",
+    "$indexOfArray",
+    "$isArray",
+    "$last",
+    "$lastN",
+    "$map",
+    "$maxN",
+    "$minN",
+    "$objectToArray",
+    "$range",
+    "$reduce",
+    "$reverseArray",
+    "$sortArray",
+    "$zip",
+    "$cond",
+    "$ifNull",
+    "$switch",
+    "$cmp",
+    "$allElementsTrue",
+    "$anyElementTrue",
+    "$setDifference",
+    "$setEquals",
+    "$setIntersection",
+    "$setIsSubset",
+    "$setUnion",
+    "$concat",
+    "$dateFromString",
+    "$indexOfBytes",
+    "$indexOfCP",
+    "$ltrim",
+    "$regexFind",
+    "$regexFindAll",
+    "$regexMatch",
+    "$replaceOne",
+    "$replaceAll",
+    "$rtrim",
+    "$split",
+    "$strLenBytes",
+    "$strLenCP",
+    "$strcasecmp",
+    "$substr",
+    "$substrBytes",
+    "$substrCP",
+    "$toLower",
+    "$toString",
+    "$trim",
+    "$toUpper",
+    "$dateAdd",
+    "$dateDiff",
+    "$dateFromParts",
+    "$dateSubtract",
+    "$dateToParts",
+    "$dateToString",
+    "$dateTrunc",
+    "$dayOfMonth",
+    "$dayOfWeek",
+    "$dayOfYear",
+    "$hour",
+    "$isoDayOfWeek",
+    "$isoWeek",
+    "$isoWeekYear",
+    "$millisecond",
+    "$minute",
+    "$month",
+    "$second",
+    "$week",
+    "$year",
+    "$convert",
+    "$toBool",
+    "$toDate",
+    "$toDecimal",
+    "$toDouble",
+    "$toInt",
+    "$toLong",
+    "$toObjectId",
+    "$let",
+    "$literal",
+    "$function",
+    "$accumulator",
+    "$getField",
+    "$mergeObjects",
+    "$bsonSize",
+}
+
+
+def replace_blocked_mongo_operators(value):
+    """
+    basically just turns any mongo operator that's above into _OPERATION instead of $OPERATION
+    """
+    try:
+        if isinstance(value, dict):
+            cleaned = {}
+            for key, nested_value in value.items():
+                cleaned_key = replace_blocked_mongo_operators(key)
+                cleaned_value = replace_blocked_mongo_operators(nested_value)
+                cleaned[cleaned_key] = cleaned_value
+            return cleaned
+        if isinstance(value, list):
+            return [replace_blocked_mongo_operators(item) for item in value]
+        if isinstance(value, tuple):
+            return tuple(replace_blocked_mongo_operators(item) for item in value)
+        if isinstance(value, set):
+            return {replace_blocked_mongo_operators(item) for item in value}
+        if isinstance(value, str):
+            if value in MONGO_OPERATOR_REPLACEMENTS:
+                return value.replace("$", "_", 1)
+            return value
+        return value
+    except Exception:
+        return value
+
+
+def sanitize(*arg_names):
+    """
+    decorator that can be used on functions to take an argument name and replace the operators
+
+    for example:
+
+        @sanitize_mongo_args("name")
+        def hello_world(name):
+            print(f"hello {name}")
+
+       hello_world("$toInt") -> hello _toInt
+       hello_world("$dateFromParts") -> hello _dateFromParts
+    """
+    arg_names = set(arg_names)
+    def decorator(func):
+        sig = inspect.signature(func)
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            try:
+                bound = sig.bind_partial(*args, **kwargs)
+                bound.apply_defaults()
+
+                for name in arg_names:
+                    if name in bound.arguments:
+                        bound.arguments[name] = replace_blocked_mongo_operators(
+                            bound.arguments[name]
+                        )
+                return func(*bound.args, **bound.kwargs)
+            except Exception:
+                return None
+        return wrapper
+    return decorator

mongo_secure-0.1.0/src/mongo_secure.egg-info/PKG-INFO

@@ -0,0 +1,69 @@
+Metadata-Version: 2.4
+Name: mongo_secure
+Version: 0.1.0
+Summary: Sanitize MongoDB operator strings in selected function arguments.
+Author-email: Thomas Perkins <contact@perkinsfund.org>
+License: MIT
+Project-URL: Homepage, https://github.com/YOUR_USERNAME/mongo_secure
+Project-URL: Repository, https://github.com/YOUR_USERNAME/mongo_secure
+Project-URL: Issues, https://github.com/YOUR_USERNAME/mongo_secure/issues
+Keywords: mongodb,sanitize,decorator,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Typing :: Typed
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+
+# mongo_secure
+
+Sanitize selected function arguments by replacing MongoDB operators.
+
+## Installation
+
+```
+pip install mongo_secure
+```
+
+## Usage
+
+```python
+from mongo_secure import sanitize
+
+
+@sanitize("name", "place")
+def hello_world(name, place):
+    print(name)
+    print(place)
+
+hello_world("$toInt", "$gt")
+#<= _toInt
+#<= _gt
+```
+
+Nested objects are sanitized recursively
+
+```python
+from mongo_secure import replace_blocked_mongo_operators
+
+
+payload = {
+    "$set": {
+        "age": "$toInt",
+        "tags": ["safe", "$where"]
+    }
+}
+
+
+print(replace_blocked_mongo_operators(payload))
+#<= {"_set": {"age": "_toInt", "tags": ["safe", "_where"]}}
+```
+
+## License
+MIT

mongo_secure-0.1.0/src/mongo_secure.egg-info/SOURCES.txt

@@ -0,0 +1,9 @@
+README.md
+pyproject.toml
+src/mongo_secure/__init__.py
+src/mongo_secure/sanitizer.py
+src/mongo_secure.egg-info/PKG-INFO
+src/mongo_secure.egg-info/SOURCES.txt
+src/mongo_secure.egg-info/dependency_links.txt
+src/mongo_secure.egg-info/top_level.txt
+tests/test_sanitize.py

mongo_secure-0.1.0/src/mongo_secure.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

mongo_secure-0.1.0/src/mongo_secure.egg-info/top_level.txt

@@ -0,0 +1 @@
+mongo_secure

mongo_secure-0.1.0/tests/test_sanitize.py

@@ -0,0 +1,47 @@
+from mongo_secure import (
+    sanitize,
+    replace_blocked_mongo_operators
+)
+
+
+def test_replaces_basic_string():
+    assert replace_blocked_mongo_operators("$toInt") == "_toInt"
+
+
+def test_does_not_replace_safe_strings():
+    assert replace_blocked_mongo_operators("$notARealOperator") == "$notARealOperator"
+
+
+def test_replaces_dict_keys_and_values():
+    assert replace_blocked_mongo_operators({"$set": "$toInt"}) == {"_set": "_toInt"}
+
+
+def test_replace_nested_structures():
+    value = {
+        "$set": {
+            "items": ["$where", ("$eq", {"$gt": "$lt"})],
+            "operators": {"$or", "$and"},
+        }
+    }
+    assert replace_blocked_mongo_operators(value) == {
+        "_set": {
+            "items": ["_where", ("_eq", {"_gt": "_lt"})],
+            "operators": {"_or", "_and"},
+        }
+    }
+
+
+def test_decorator_replacements():
+    @sanitize("payload")
+    def process(payload):
+        return payload
+
+    assert process({"$set": "$toInt"}) == {"_set": "_toInt"}
+
+
+def test_decorator_leaves_safe_args():
+    @sanitize("payload")
+    def process(payload):
+        return payload
+
+    assert process("test") == "test"