Weird req.query behavior

Question

Weird req.query behavior

VladimirMikulic opened this issue 2 years ago · comments

Hi! I recently encountered an interesting case of how query string shows up in req.query in my logs.

Normal call: https://some-api.com/?tags=tag1,tag2,tag3

{
  tags: "tag1,tag2,tag3"
}

Weird/potentially dangerous: https://some-api.com/?tags=tag1,tag2,tag3&tags[i]=tag4 <- notice this tags[i]=<value>

Here's how the req.query looks like:

{
  tags: ["tag1", "tag2", "tag3", { i: "tag" }]
}

I would expect tags to be a string just like in normal call.
It shouldn't suddenly turn to an array with strings and an object at the end.

Douglas Wilson · Answer 1 · Wed Mar 30 2022 02:52:35 GMT+0800 (China Standard Time)

Hi @VladimirMikulic yes, this is the expected behavior. You can find that in our documentation about req.query (http://expressjs.com/en/api.html#req.query) and the query parser setting http://expressjs.com/en/api.html#app.settings.table

You can change the behavior with that above query parser setting. You likely want the simple parser rather than the extended parser. The main difference is that extended uses the qs module and simple uses the Node.js querystring module (both linked from our docs).

I hope that helps!

Vladimir Mikulic · Answer 2 · Wed Mar 30 2022 02:57:54 GMT+0800 (China Standard Time)

Thank you for a fast reply, @dougwilson! That makes sense.