From 99bd8960f8bbf4cddae778f8e2395932ad985e4c Mon Sep 17 00:00:00 2001 From: IamLizu Date: Wed, 13 Nov 2024 00:19:08 +0600 Subject: [PATCH] [New] `parse`: add `throwOnParameterLimitExceeded` option --- README.md | 24 +++++++++++ lib/parse.js | 40 ++++++++++++++--- test/parse.js | 117 ++++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 162 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 7347a3c4..c56f517d 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,18 @@ var limited = qs.parse('a=b&c=d', { parameterLimit: 1 }); assert.deepEqual(limited, { a: 'b' }); ``` +If you want an error to be thrown whenever the a limit is exceeded (eg, `parameterLimit`, `arrayLimit`), set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit. +```javascript +try { + qs.parse('a=1&b=2&c=3&d=4', { parameterLimit: 3, throwOnLimitExceeded: true }); +} catch (err) { + assert(err instanceof Error); + assert.strictEqual(err.message, 'Parameter limit exceeded. Only 3 parameters allowed.'); +} +``` + +When `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `parameterLimit` and ignore the rest without throwing an error. + To bypass the leading question mark, use `ignoreQueryPrefix`: ```javascript @@ -286,6 +298,18 @@ var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 }); assert.deepEqual(withArrayLimit, { a: { '1': 'b' } }); ``` +If you want to throw an error whenever the array limit is exceeded, set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit. +```javascript +try { + qs.parse('a[1]=b', { arrayLimit: 0, throwOnLimitExceeded: true }); +} catch (err) { + assert(err instanceof Error); + assert.strictEqual(err.message, 'Array limit exceeded. Only 0 array members allowed.'); +} +``` + +When `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `arrayLimit` and if the limit is exceeded, the array will instead be converted to an object with the index as the key + To disable array parsing entirely, set `parseArrays` to `false`. ```javascript diff --git a/lib/parse.js b/lib/parse.js index f6dabf14..39e861fc 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -34,11 +34,15 @@ var interpretNumericEntities = function (str) { }); }; -var parseArrayValue = function (val, options) { +var parseArrayValue = function (val, options, currentArrayLength) { if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) { return val.split(','); } + if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) { + throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); + } + return val; }; @@ -57,8 +61,17 @@ var parseValues = function parseQueryStringValues(str, options) { var cleanStr = options.ignoreQueryPrefix ? str.replace(/^\?/, '') : str; cleanStr = cleanStr.replace(/%5B/gi, '[').replace(/%5D/gi, ']'); + var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit; - var parts = cleanStr.split(options.delimiter, limit); + var parts = cleanStr.split( + options.delimiter, + options.throwOnLimitExceeded ? limit + 1 : limit + ); + + if (options.throwOnLimitExceeded && parts.length > limit) { + throw new RangeError('Parameter limit exceeded. Only ' + limit + ' parameter' + (limit === 1 ? '' : 's') + ' allowed.'); + } + var skipIndex = -1; // Keep track of where the utf8 sentinel was found var i; @@ -93,8 +106,13 @@ var parseValues = function parseQueryStringValues(str, options) { val = options.strictNullHandling ? null : ''; } else { key = options.decoder(part.slice(0, pos), defaults.decoder, charset, 'key'); + val = utils.maybeMap( - parseArrayValue(part.slice(pos + 1), options), + parseArrayValue( + part.slice(pos + 1), + options, + isArray(obj[key]) ? obj[key].length : 0 + ), function (encodedVal) { return options.decoder(encodedVal, defaults.decoder, charset, 'value'); } @@ -121,7 +139,13 @@ var parseValues = function parseQueryStringValues(str, options) { }; var parseObject = function (chain, val, options, valuesParsed) { - var leaf = valuesParsed ? val : parseArrayValue(val, options); + var currentArrayLength = 0; + if (chain.length > 0 && chain[chain.length - 1] === '[]') { + var parentKey = chain.slice(0, -1).join(''); + currentArrayLength = Array.isArray(val) && val[parentKey] ? val[parentKey].length : 0; + } + + var leaf = valuesParsed ? val : parseArrayValue(val, options, currentArrayLength); for (var i = chain.length - 1; i >= 0; --i) { var obj; @@ -235,6 +259,11 @@ var normalizeParseOptions = function normalizeParseOptions(opts) { if (typeof opts.charset !== 'undefined' && opts.charset !== 'utf-8' && opts.charset !== 'iso-8859-1') { throw new TypeError('The charset option must be either utf-8, iso-8859-1, or undefined'); } + + if (typeof opts.throwOnLimitExceeded !== 'undefined' && typeof opts.throwOnLimitExceeded !== 'boolean') { + throw new TypeError('`throwOnLimitExceeded` option must be a boolean'); + } + var charset = typeof opts.charset === 'undefined' ? defaults.charset : opts.charset; var duplicates = typeof opts.duplicates === 'undefined' ? defaults.duplicates : opts.duplicates; @@ -266,7 +295,8 @@ var normalizeParseOptions = function normalizeParseOptions(opts) { parseArrays: opts.parseArrays !== false, plainObjects: typeof opts.plainObjects === 'boolean' ? opts.plainObjects : defaults.plainObjects, strictDepth: typeof opts.strictDepth === 'boolean' ? !!opts.strictDepth : defaults.strictDepth, - strictNullHandling: typeof opts.strictNullHandling === 'boolean' ? opts.strictNullHandling : defaults.strictNullHandling + strictNullHandling: typeof opts.strictNullHandling === 'boolean' ? opts.strictNullHandling : defaults.strictNullHandling, + throwOnLimitExceeded: typeof opts.throwOnLimitExceeded === 'boolean' ? opts.throwOnLimitExceeded : false }; }; diff --git a/test/parse.js b/test/parse.js index d678ac1d..73ef8dfa 100644 --- a/test/parse.js +++ b/test/parse.js @@ -118,7 +118,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should decode dot in key of object, and allow enabling dot notation when decodeDotInKeys is set to true and allowDots is undefined', function (st) { + t.test('decodes dot in key of object, and allow enabling dot notation when decodeDotInKeys is set to true and allowDots is undefined', function (st) { st.deepEqual( qs.parse( 'name%252Eobj%252Esubobject.first%252Egodly%252Ename=John&name%252Eobj%252Esubobject.last=Doe', @@ -131,7 +131,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should throw when decodeDotInKeys is not of type boolean', function (st) { + t.test('throws when decodeDotInKeys is not of type boolean', function (st) { st['throws']( function () { qs.parse('foo[]&bar=baz', { decodeDotInKeys: 'foobar' }); }, TypeError @@ -161,7 +161,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should throw when allowEmptyArrays is not of type boolean', function (st) { + t.test('throws when allowEmptyArrays is not of type boolean', function (st) { st['throws']( function () { qs.parse('foo[]&bar=baz', { allowEmptyArrays: 'foobar' }); }, TypeError @@ -444,7 +444,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should not throw when a native prototype has an enumerable property', function (st) { + t.test('does not throw when a native prototype has an enumerable property', function (st) { st.intercept(Object.prototype, 'crash', { value: '' }); st.intercept(Array.prototype, 'crash', { value: '' }); @@ -965,7 +965,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should ignore an utf8 sentinel with an unknown value', function (st) { + t.test('ignores an utf8 sentinel with an unknown value', function (st) { st.deepEqual(qs.parse('utf8=foo&' + urlEncodedOSlashInUtf8 + '=' + urlEncodedOSlashInUtf8, { charsetSentinel: true, charset: 'utf-8' }), { ø: 'ø' }); st.end(); }); @@ -1035,6 +1035,95 @@ test('parse()', function (t) { st.end(); }); + t.test('parameter limit tests', function (st) { + st.test('does not throw error when within parameter limit', function (sst) { + var result = qs.parse('a=1&b=2&c=3', { parameterLimit: 5, throwOnLimitExceeded: true }); + sst.deepEqual(result, { a: '1', b: '2', c: '3' }, 'parses without errors'); + sst.end(); + }); + + st.test('throws error when throwOnLimitExceeded is present but not boolean', function (sst) { + sst['throws']( + function () { + qs.parse('a=1&b=2&c=3&d=4&e=5&f=6', { parameterLimit: 3, throwOnLimitExceeded: 'true' }); + }, + new TypeError('`throwOnLimitExceeded` option must be a boolean'), + 'throws error when throwOnLimitExceeded is present and not boolean' + ); + sst.end(); + }); + + st.test('throws error when parameter limit exceeded', function (sst) { + sst['throws']( + function () { + qs.parse('a=1&b=2&c=3&d=4&e=5&f=6', { parameterLimit: 3, throwOnLimitExceeded: true }); + }, + new RangeError('Parameter limit exceeded. Only 3 parameters allowed.'), + 'throws error when parameter limit is exceeded' + ); + sst.end(); + }); + + st.test('silently truncates when throwOnLimitExceeded is not given', function (sst) { + var result = qs.parse('a=1&b=2&c=3&d=4&e=5', { parameterLimit: 3 }); + sst.deepEqual(result, { a: '1', b: '2', c: '3' }, 'parses and truncates silently'); + sst.end(); + }); + + st.test('silently truncates when parameter limit exceeded without error', function (sst) { + var result = qs.parse('a=1&b=2&c=3&d=4&e=5', { parameterLimit: 3, throwOnLimitExceeded: false }); + sst.deepEqual(result, { a: '1', b: '2', c: '3' }, 'parses and truncates silently'); + sst.end(); + }); + + st.test('allows unlimited parameters when parameterLimit set to Infinity', function (sst) { + var result = qs.parse('a=1&b=2&c=3&d=4&e=5&f=6', { parameterLimit: Infinity }); + sst.deepEqual(result, { a: '1', b: '2', c: '3', d: '4', e: '5', f: '6' }, 'parses all parameters without truncation'); + sst.end(); + }); + + st.end(); + }); + + t.test('array limit tests', function (st) { + st.test('does not throw error when array is within limit', function (sst) { + var result = qs.parse('a[]=1&a[]=2&a[]=3', { arrayLimit: 5, throwOnLimitExceeded: true }); + sst.deepEqual(result, { a: ['1', '2', '3'] }, 'parses array without errors'); + sst.end(); + }); + + st.test('throws error when throwOnLimitExceeded is present but not boolean for array limit', function (sst) { + sst['throws']( + function () { + qs.parse('a[]=1&a[]=2&a[]=3&a[]=4', { arrayLimit: 3, throwOnLimitExceeded: 'true' }); + }, + new TypeError('`throwOnLimitExceeded` option must be a boolean'), + 'throws error when throwOnLimitExceeded is present and not boolean for array limit' + ); + sst.end(); + }); + + st.test('throws error when array limit exceeded', function (sst) { + sst['throws']( + function () { + qs.parse('a[]=1&a[]=2&a[]=3&a[]=4', { arrayLimit: 3, throwOnLimitExceeded: true }); + }, + new RangeError('Array limit exceeded. Only 3 elements allowed in an array.'), + 'throws error when array limit is exceeded' + ); + sst.end(); + }); + + st.test('converts array to object if length is greater than limit', function (sst) { + const result = qs.parse('a[1]=1&a[2]=2&a[3]=3&a[4]=4&a[5]=5&a[6]=6', { arrayLimit: 5 }); + + sst.deepEqual(result, { a: { 1: '1', 2: '2', 3: '3', 4: '4', 5: '5', 6: '6' } }, 'parses into object if array length is greater than limit'); + sst.end(); + }); + + st.end(); + }); + t.end(); }); @@ -1093,7 +1182,7 @@ test('qs strictDepth option - throw cases', function (t) { qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1, strictDepth: true }); }, RangeError, - 'Should throw RangeError' + 'throws RangeError' ); st.end(); }); @@ -1104,7 +1193,7 @@ test('qs strictDepth option - throw cases', function (t) { qs.parse('a[0][1][2][3][4]=b', { depth: 3, strictDepth: true }); }, RangeError, - 'Should throw RangeError' + 'throws RangeError' ); st.end(); }); @@ -1115,7 +1204,7 @@ test('qs strictDepth option - throw cases', function (t) { qs.parse('a[b][c][0][d][e]=f', { depth: 3, strictDepth: true }); }, RangeError, - 'Should throw RangeError' + 'throws RangeError' ); st.end(); }); @@ -1126,7 +1215,7 @@ test('qs strictDepth option - throw cases', function (t) { qs.parse('a[b][c][d][e]=true&a[b][c][d][f]=42', { depth: 3, strictDepth: true }); }, RangeError, - 'Should throw RangeError' + 'throws RangeError' ); st.end(); }); @@ -1140,7 +1229,7 @@ test('qs strictDepth option - non-throw cases', function (t) { qs.parse('a[b][c][d][e]=true&a[b][c][d][f]=42', { depth: 0, strictDepth: true }); }, RangeError, - 'Should not throw RangeError' + 'does not throw RangeError' ); st.end(); }); @@ -1149,7 +1238,7 @@ test('qs strictDepth option - non-throw cases', function (t) { st.doesNotThrow( function () { var result = qs.parse('a[b]=c', { depth: 1, strictDepth: true }); - st.deepEqual(result, { a: { b: 'c' } }, 'Should parse correctly'); + st.deepEqual(result, { a: { b: 'c' } }, 'parses correctly'); } ); st.end(); @@ -1159,7 +1248,7 @@ test('qs strictDepth option - non-throw cases', function (t) { st.doesNotThrow( function () { var result = qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1 }); - st.deepEqual(result, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } }, 'Should parse with depth limit'); + st.deepEqual(result, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } }, 'parses with depth limit'); } ); st.end(); @@ -1169,7 +1258,7 @@ test('qs strictDepth option - non-throw cases', function (t) { st.doesNotThrow( function () { var result = qs.parse('a[b]=c', { depth: 1 }); - st.deepEqual(result, { a: { b: 'c' } }, 'Should parse correctly'); + st.deepEqual(result, { a: { b: 'c' } }, 'parses correctly'); } ); st.end(); @@ -1179,7 +1268,7 @@ test('qs strictDepth option - non-throw cases', function (t) { st.doesNotThrow( function () { var result = qs.parse('a[b][c]=d', { depth: 2, strictDepth: true }); - st.deepEqual(result, { a: { b: { c: 'd' } } }, 'Should parse correctly'); + st.deepEqual(result, { a: { b: { c: 'd' } } }, 'parses correctly'); } ); st.end();