Merge pull request #388 from AikidoSec/patch-bson-id

Detect BSON object IDs in URLs

library/helpers/buildRouteFromURL.test.ts

@@ -1,5 +1,6 @@
 import * as t from "tap";
 import { buildRouteFromURL } from "./buildRouteFromURL";
+import * as ObjectID from "bson-objectid";
 
 t.test("it returns undefined for invalid URLs", async () => {
   t.same(buildRouteFromURL(""), undefined);
@@ -144,3 +145,15 @@ t.test("it replaces secrets", async () => {
     "/confirm/:secret"
   );
 });
+
+t.test("it replaces BSON ObjectIDs", async () => {
+  t.same(
+    // @ts-expect-error It says that the expression isn't callable
+    buildRouteFromURL(`/posts/${ObjectID().toHexString()}`),
+    "/posts/:objectId"
+  );
+  t.same(
+    buildRouteFromURL(`/posts/66ec29159d00113616fc7184`),
+    "/posts/:objectId"
+  );
+});

library/helpers/buildRouteFromURL.ts

@@ -4,6 +4,7 @@ import { isIP } from "net";
 
 const UUID =
   /(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$/i;
+const OBJECT_ID = /^[0-9a-f]{24}$/i;
 const NUMBER = /^\d+$/;
 const DATE = /^\d{4}-\d{2}-\d{2}|\d{2}-\d{2}-\d{4}$/;
 const EMAIL =
@@ -43,6 +44,10 @@ function replaceURLSegmentWithParam(segment: string) {
     return ":uuid";
   }
 
+  if (segment.length === 24 && OBJECT_ID.test(segment)) {
+    return ":objectId";
+  }
+
   if (startsWithNumber && DATE.test(segment)) {
     return ":date";
   }

library/package.json

@@ -53,6 +53,7 @@
     "aws-sdk": "^2.1595.0",
     "axios": "^1.7.3",
     "better-sqlite3": "^11.2.0",
+    "bson-objectid": "^2.0.4",
     "cookie-parser": "^1.4.6",
     "eslint": "^8.56.0",
     "eslint-config-prettier": "^9.1.0",