Fix crash when req.query handling
https://expressjs.com/en/5x/api.html#req.query "As req.query’s shape is based on user-controlled input, all properties and values in this object are untrusted and should be validated before trusting" In essence, req.query.xx can be an array OR an array of strings.
This commit is contained in:
Girish Ramakrishnan
@@ -20,17 +20,17 @@ async function get(req, res, next) {
|
||||
}
|
||||
|
||||
async function list(req, res, next) {
|
||||
const page = typeof req.query.page !== 'undefined' ? parseInt(req.query.page) : 1;
|
||||
const page = typeof req.query.page === 'string' ? parseInt(req.query.page) : 1;
|
||||
if (!page || page < 0) return next(new HttpError(400, 'page query param has to be a postive number'));
|
||||
|
||||
const perPage = typeof req.query.per_page !== 'undefined'? parseInt(req.query.per_page) : 25;
|
||||
const perPage = typeof req.query.per_page === 'string'? parseInt(req.query.per_page) : 25;
|
||||
if (!perPage || perPage < 0) return next(new HttpError(400, 'per_page query param has to be a postive number'));
|
||||
|
||||
if (req.query.actions && typeof req.query.actions !== 'string') return next(new HttpError(400, 'actions must be a comma separated string'));
|
||||
if (req.query.action && typeof req.query.action !== 'string') return next(new HttpError(400, 'action must be a string'));
|
||||
if (req.query.search && typeof req.query.search !== 'string') return next(new HttpError(400, 'search must be a string'));
|
||||
|
||||
const actions = req.query.actions ? req.query.actions.split(',').map(function (s) { return s.trim(); }) : [];
|
||||
const actions = typeof req.query.actions === 'string' ? req.query.actions.split(',').map(function (s) { return s.trim(); }) : [];
|
||||
if (req.query.action) actions.push(req.query.action);
|
||||
|
||||
const [error, eventlogs] = await safe(eventlog.listPaged(actions, req.query.search || null, page, perPage));
|
||||
|
||||
Reference in New Issue
Block a user