Comments (4)
Hi @avaly good point! I was also thinking about a parameter whitelist. However, I am not sure how the whitelist should look like. Of course, it would contain the names of the parameters HPP will not touch. But that might not be enough: Probably for some routes a specific parameter should be whitelisted but for other routes the parameter with the same name should not be whitelisted.
For you example above the following would make sense:
app.use(hpp({
whitelist: [ 'filters' ]
}));
For configuring different routes differently we could extend the whitelist
data structure:
app.use(hpp({
whitelist: [
{ routes: [ '/search' ], parameters: [ 'filters' ] },
{ routes: [ '/find' ], parameters: [ 'categories' ] }
]
}));
Or instead we could use native filtering:
app.use(hpp()); // To secure all other routes.
app.use('/search', hpp({ whitelist: [ 'filters' ] }));
app.use('/find', hpp({ whitelist: [ 'categories' ] }));
I prefer the last solution. However, maybe the routes are not the only distinguishing aspects:
- Should parsing the
req.query
andreq.body
have different whitelists? - Should a different whitelist apply e.g. if the client sends certain headers?
Thoughts?
from hpp.
I agree that the whitelist should be route-specific. I prefer your last example there with the native route filtering.
- For a big enough application the whitelist could also be query/body-specific as well.
- I don't see the use case for such a feature.
from hpp.
Thanks, makes sense.
I just realized the distinction between query and body could be made like this:
app.use('/search', { whitelist: [ 'filters' ], checkBody: false });
app.use('/search', { checkQuery: false });
This way filters
is only whitelisted when passed to req.query
. This maybe isn't the nicest solution but it is enough until the first user actually makes that distinction very often and hopefully suggests something more elegant in a new issue.
OK, I will implement the whitelist as discussed shortly.
from hpp.
I just published version 0.1.2 to npm.
from hpp.
Related Issues (9)
- snyk security issue - update lodash to latest HOT 1
- Breaks if you pass multiple keys of same name with one using sub-key
- Any support for Koa ?
- Add an option to keep the first occurence of a parameter
- wrong comment? HOT 1
- unable to get output as mentioned in document HOT 3
- import specific lodash libraries HOT 2
- Any koa equivalent HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hpp.