analog-nico / hpp Goto Github PK

// Select the first parameter value
reqPart[paramKey] = paramValue[paramValue.length-1];

As far as I understand, this selects the last parameter value.
Is the comment wrong or the assignement itself?

Selecting the first occurrence of a parameter is a frequently used method of handling repeated parameters, see slide 9 of OWASP's parameter pollution presentation.

Selecting the first occurrence also avoids factoring in unwanted parameters appended by the user.

Is this project still ON ?
If so any support for Koa ?

When I call this endpoint:
/search?name=Chris&name=Bob

It works as intended giving me the value of Bob

If I do the next query:
/search?name=Chris&name=Bob&name[test]

It breaks and outputs an object of all the values passed in and not the last value of Bob.

Is this a break or am I using the package wrong?

Thanks

I noticed that you import lodash as a whole instead of specific lodash libraries that you are using. I suggest you change that to avoid polluting the resulting packages.

This module assumes that any query parameter is not supposed to be an array. However some applications might actually require to use an array parameter. This type of parameter is invalidated by this module while cleaning other potentially invalid parameters.

Example:

GET /?query=foo&query=bar&filters[]=123&filters[]=456

I would like a way to notify the plugin to clean only query or to exclude filters from the cleaning.

can you please update lodash to the latest version (4.17.21)
so that snyk security alert will be fixed for this package?

Any plans to write one for Koa?

firstly thank for this modules. am trying to incorporate this module in my project, below is the code

var express = require('express'), 
routes = require('./routes'),
user = require('./routes/user'),
http = require('http'),
metafetch = require('metafetch'),
expressValidator = require('express-validator'),
path = require('path');
var moment = require('moment');
var bodyParser = require('body-parser');
var hpp = require('hpp');
var errTo = require('errto');
var Err = require('custom-err');

var app = express();
var server = http.createServer(app);
//all environments
app.set('port', process.env.port || 3000);
app.set('views', __dirname + '/views');
app.set('view engine', 'jade');
app.use(express.favicon());
app.use(express.logger('dev'));
//app.use(express.bodyParser());

app.use(expressValidator()); // this line must be immediately after express.bodyParser()!

app.use(express.methodOverride());
app.use(app.router);
app.use(express.static(path.join(__dirname, 'public')));

app.use(bodyParser.urlencoded({extended: true}));
app.use(hpp()); // <- THIS IS THE NEW LINE

app.get('/hpp',function(req,res)
    {
        console.log("req.query.fname : ",req.query.fname);
        console.log("req.query.lname : ",req.query.lname);
        console.log("req.query : ",req.query);
        //console.log("req.body : ",req.body);
        //res.send(req.query);
});

http.createServer(app).listen(app.get('port'), function(){
  console.log('Express server listening on port ' + app.get('port'));
});

output in console is
Express server listening on port 3000
req.query.fname : [ 'pitu', 'p3' ]
req.query.lname : undefined
req.query : { fname: [ 'pitu', 'p3' ], [proto]: {} }

i want output for fname to last value of array i.e "p3", am i doing something wrong