Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
query sanitation is not happening or not mutating req.query object
See original GitHub issuequery sanitation is not happening or not mutating req.query object
var express = require('express')
var app = express()
const { query, validationResult } = require('express-validator')
const getUsersList = async (req, res, next) => {
const validations = [
query('saitizedParam').trim().escape(),
query('testLenParam').isLength({ min: 5 }),
query('textParam').not().isEmpty().trim().escape()
]
await Promise.all(validations.map(validation => validation.run(req)))
const errors = validationResult(req)
if (errors.isEmpty()) {
return next()
}
res.status(403).json({ error: errors.array() })
}
app.get('/', getUsersList, function (req, res) {
const {
query
} = req
console.log(query)
res.status(200).json(query)
})
app.listen(3030)
try sending this:
http://localhost:3030/?saitizedParam=%20%20%20Hello%20world%20:%3E)%20%20%20&testLenParam=qwerty&textParam=123test
console will output the same unsanitized value ie.e Hello world :>) with > and spaces kept
Validator.js version: 6.12.1 Express.js version: 5.0.0-alpha.8 Node.js version: v14.15.5 OS platform: windows
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
request.query behaves immutable in 5.x · Issue #2752 - GitHub
Tested against 4.13, request.query is tested false for Object. ... query sanitation is not happening or not mutating req.query object ...
Read more >Why is my ExpressJS req.query not working? - Stack Overflow
This is a cors error, which means your server is not expecting requests from the same origin. By default servers does not allow...
Read more >Gotchas with Express query parsing (and how to avoid them)
A new error: req.query.name.toUpperCase is not a function . The same thing happens if we send the parameter three times, or four times, ......
Read more >CWE-20: Improper Input Validation (4.9) - MITRE
The product receives input or data, but it does not validate or ... scenario in which a person's last name is inserted into...
Read more >SQL Injection Prevention - OWASP Cheat Sheet Series
Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@fedeci yes, I tend to agree. Thank you for paying attention
Y, that does not mutate the original req object and works👍