Fix crash when req.query handling

https://expressjs.com/en/5x/api.html#req.query "As req.query’s shape is based on user-controlled input, all properties and values in this object are untrusted and should be validated before trusting" In essence, req.query.xx can be an array OR an array of strings.
2025-07-13 13:14:32 +02:00
parent dc7f5e3dbc
commit 04de621e37
14 changed files with 66 additions and 60 deletions
--- a/src/server.js
+++ b/src/server.js
@@ -31,8 +31,8 @@ function notFoundHandler(req, res, next) {

 async function initializeExpressSync() {
    const app = express();
-    // disable slowloris prevention: https://github.com/nodejs/node/issues/47421
-    const httpServer = http.createServer({ headersTimeout: 0, requestTimeout: 0 }, app); // see also nginx client_header_timeout (30s)
+    // disable slowloris prevention: https://github.com/nodejs/node/issues/47421 . duplicate headers are discarded for the standard headers (https://nodejs.org/api/http.html#messageheaders)
+    const httpServer = http.createServer({ headersTimeout: 0, requestTimeout: 0, joinDuplicateHeaders: false }, app); // see also nginx client_header_timeout (30s)

    const wsServer = new ws.Server({ noServer: true }); // in noServer mode, we have to handle 'upgrade' and call handleUpgrade

@@ -45,6 +45,7 @@ async function initializeExpressSync() {

    app.set('json spaces', 2); // pretty json
    app.enable('trust proxy'); // trust the X-Forwarded-* headers
+    app.set('query parser', 'simple'); // uses the built-in querystring module for query parsing. req.query always has strings or array of strings

    const router = new express.Router();
    router.del = router.delete; // amend router.del for readability further on