analog-nico / hpp Goto Github PK
View Code? Open in Web Editor NEWExpress middleware to protect against HTTP Parameter Pollution attacks
License: ISC License
Express middleware to protect against HTTP Parameter Pollution attacks
License: ISC License
// Select the first parameter value
reqPart[paramKey] = paramValue[paramValue.length-1];
As far as I understand, this selects the last parameter value.
Is the comment wrong or the assignement itself?
Selecting the first occurrence of a parameter is a frequently used method of handling repeated parameters, see slide 9 of OWASP's parameter pollution presentation.
Selecting the first occurrence also avoids factoring in unwanted parameters appended by the user.
Is this project still ON ?
If so any support for Koa ?
When I call this endpoint:
/search?name=Chris&name=Bob
It works as intended giving me the value of Bob
If I do the next query:
/search?name=Chris&name=Bob&name[test]
It breaks and outputs an object of all the values passed in and not the last value of Bob.
Is this a break or am I using the package wrong?
Thanks
I noticed that you import lodash as a whole instead of specific lodash libraries that you are using. I suggest you change that to avoid polluting the resulting packages.
This module assumes that any query parameter is not supposed to be an array. However some applications might actually require to use an array parameter. This type of parameter is invalidated by this module while cleaning other potentially invalid parameters.
Example:
GET /?query=foo&query=bar&filters[]=123&filters[]=456
I would like a way to notify the plugin to clean only query
or to exclude filters
from the cleaning.
can you please update lodash to the latest version (4.17.21)
so that snyk security alert will be fixed for this package?
Any plans to write one for Koa?
firstly thank for this modules. am trying to incorporate this module in my project, below is the code
var express = require('express'),
routes = require('./routes'),
user = require('./routes/user'),
http = require('http'),
metafetch = require('metafetch'),
expressValidator = require('express-validator'),
path = require('path');
var moment = require('moment');
var bodyParser = require('body-parser');
var hpp = require('hpp');
var errTo = require('errto');
var Err = require('custom-err');
var app = express();
var server = http.createServer(app);
//all environments
app.set('port', process.env.port || 3000);
app.set('views', __dirname + '/views');
app.set('view engine', 'jade');
app.use(express.favicon());
app.use(express.logger('dev'));
//app.use(express.bodyParser());
app.use(expressValidator()); // this line must be immediately after express.bodyParser()!
app.use(express.methodOverride());
app.use(app.router);
app.use(express.static(path.join(__dirname, 'public')));
app.use(bodyParser.urlencoded({extended: true}));
app.use(hpp()); // <- THIS IS THE NEW LINE
app.get('/hpp',function(req,res)
{
console.log("req.query.fname : ",req.query.fname);
console.log("req.query.lname : ",req.query.lname);
console.log("req.query : ",req.query);
//console.log("req.body : ",req.body);
//res.send(req.query);
});
http.createServer(app).listen(app.get('port'), function(){
console.log('Express server listening on port ' + app.get('port'));
});
output in console is
Express server listening on port 3000
req.query.fname : [ 'pitu', 'p3' ]
req.query.lname : undefined
req.query : { fname: [ 'pitu', 'p3' ], [proto]: {} }
i want output for fname to last value of array i.e "p3", am i doing something wrong
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.