Fix crash when req.query handling

https://expressjs.com/en/5x/api.html#req.query

"As req.query’s shape is based on user-controlled input, all properties and values in this object
are untrusted and should be validated before trusting"

In essence, req.query.xx can be an array OR an array of strings.
This commit is contained in:
Girish Ramakrishnan
2025-07-13 13:14:32 +02:00
parent dc7f5e3dbc
commit 04de621e37
14 changed files with 66 additions and 60 deletions

View File

@@ -31,8 +31,8 @@ function notFoundHandler(req, res, next) {
async function initializeExpressSync() {
const app = express();
// disable slowloris prevention: https://github.com/nodejs/node/issues/47421
const httpServer = http.createServer({ headersTimeout: 0, requestTimeout: 0 }, app); // see also nginx client_header_timeout (30s)
// disable slowloris prevention: https://github.com/nodejs/node/issues/47421 . duplicate headers are discarded for the standard headers (https://nodejs.org/api/http.html#messageheaders)
const httpServer = http.createServer({ headersTimeout: 0, requestTimeout: 0, joinDuplicateHeaders: false }, app); // see also nginx client_header_timeout (30s)
const wsServer = new ws.Server({ noServer: true }); // in noServer mode, we have to handle 'upgrade' and call handleUpgrade
@@ -45,6 +45,7 @@ async function initializeExpressSync() {
app.set('json spaces', 2); // pretty json
app.enable('trust proxy'); // trust the X-Forwarded-* headers
app.set('query parser', 'simple'); // uses the built-in querystring module for query parsing. req.query always has strings or array of strings
const router = new express.Router();
router.del = router.delete; // amend router.del for readability further on