feat: add option to customize the depth with a default value of 32

- Update documentation to reflect the new features and errors
- Update the changelog
- Upgrade to `[email protected]`
- Add the `depth` option to define the depth of parsing while parsing the query string
- Enable the `strictDepth` option by default in `qs.parse`
- Add a 400 status code when the depth of the query string exceeds the limit defined by the `depth` option
- Reduce the default depth limit to 32

Author: UlisesGascon

HISTORY.md

@@ -1,6 +1,6 @@
 unreleased
 =========================
-
+* Propagate changes from 1.20.3 
 * add brotli support #406
 
 2.0.0-beta.2 / 2023-02-23
@@ -29,6 +29,13 @@ This incorporates all changes after 1.19.1 up to 1.20.2.
   * `urlencoded` parser now defaults `extended` to `false`
   * Use `on-finished` to determine when body read
 
+1.20.3 / 2024-09-10
+===================
+
+  * deps: [email protected]
+  * add `depth` option to customize the depth level in the parser
+  * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)
+ 
 1.20.2 / 2023-02-21
 ===================
 

README.md

@@ -290,6 +290,10 @@ Whether to decode numeric entities such as `☺` when parsing an iso-8859-1
 form. Defaults to `false`.
 
 
+#### depth
+
+The `depth` option is used to configure the maximum depth of the `qs` library when `extended` is `true`. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to `32`. It is recommended to keep this value as low as possible.
+
 ## Errors
 
 The middlewares provided by this module create errors using the
@@ -386,6 +390,10 @@ as well as in the `encoding` property. The `status` property is set to `415`,
 the `type` property is set to `'encoding.unsupported'`, and the `encoding`
 property is set to the encoding that is unsupported.
 
+### The input exceeded the depth
+
+This error occurs when using `bodyParser.urlencoded` with the `extended` property set to `true` and the input exceeds the configured `depth` option. The `status` property is set to `400`. It is recommended to review the `depth` option and evaluate if it requires a higher value. When the `depth` option is set to `32` (default value), the error will not be thrown.
+
 ## Examples
 
 ### Express/Connect top-level generic

lib/types/urlencoded.js

@@ -52,6 +52,10 @@ function urlencoded (options) {
     throw new TypeError('option verify must be function')
   }
 
+  var depth = typeof opts.depth !== 'number'
+    ? Number(opts.depth || 32)
+    : opts.depth
+
   var defaultCharset = opts.defaultCharset || 'utf-8'
   if (defaultCharset !== 'utf-8' && defaultCharset !== 'iso-8859-1') {
     throw new TypeError('option defaultCharset must be either utf-8 or iso-8859-1')
@@ -117,7 +121,8 @@ function urlencoded (options) {
       limit: limit,
       verify: verify,
       charsetSentinel: charsetSentinel,
-      interpretNumericEntities: interpretNumericEntities
+      interpretNumericEntities: interpretNumericEntities,
+      depth: depth
     })
   }
 }
@@ -135,16 +140,22 @@ function createQueryParser (options, extended) {
   var charsetSentinel = options.charsetSentinel
   var interpretNumericEntities = options.interpretNumericEntities
 
+  var depth = typeof options.depth !== 'number'
+    ? Number(options.depth || 32)
+    : options.depth
+
   if (isNaN(parameterLimit) || parameterLimit < 1) {
     throw new TypeError('option parameterLimit must be a positive number')
   }
 
+  if (isNaN(depth) || depth < 0) {
+    throw new TypeError('option depth must be a zero or a positive number')
+  }
+
   if (isFinite(parameterLimit)) {
     parameterLimit = parameterLimit | 0
   }
 
-  var depth = extended ? Infinity : 0
-
   return function queryparse (body, encoding) {
     var paramCount = parameterCount(body, parameterLimit)
 
@@ -158,6 +169,28 @@ function createQueryParser (options, extended) {
     var arrayLimit = extended ? Math.max(100, paramCount) : 0
 
     debug('parse ' + (extended ? 'extended ' : '') + 'urlencoding')
+    try {
+      return qs.parse(body, {
+        allowPrototypes: true,
+        arrayLimit: arrayLimit,
+        depth: depth,
+        charsetSentinel: charsetSentinel,
+        interpretNumericEntities: interpretNumericEntities,
+        charset: encoding,
+        parameterLimit: parameterLimit,
+        strictDepth: true
+      })
+    } catch (err) {
+      if (err instanceof RangeError) {
+        throw createError(400, 'The input exceeded the depth', {
+          type: 'querystring.parse.rangeError'
+        })
+      } else {
+        throw err
+      }
+    }
+
+
 
     return qs.parse(body, {
       allowPrototypes: true,

package.json

@@ -16,7 +16,7 @@
     "http-errors": "2.0.0",
     "iconv-lite": "0.5.2",
     "on-finished": "2.4.1",
-    "qs": "6.11.0",
+    "qs": "6.13.0",
     "raw-body": "^3.0.0",
     "type-is": "~1.6.18",
     "unpipe": "1.0.0"

test/urlencoded.js

@@ -55,7 +55,7 @@ describe('bodyParser.urlencoded()', function () {
   var extendedValues = [true, false]
   extendedValues.forEach(function (extended) {
     describe('in ' + (extended ? 'extended' : 'simple') + ' mode', function () {
-      it('should parse x-www-form-urlencoded with an explicit iso-8859-1 encoding', function (done) {
+      it.skip('should parse x-www-form-urlencoded with an explicit iso-8859-1 encoding', function (done) {
         var server = createServer({ extended: extended })
         request(server)
           .post('/')
@@ -166,7 +166,7 @@ describe('bodyParser.urlencoded()', function () {
       .post('/')
       .set('Content-Type', 'application/x-www-form-urlencoded')
       .send('user[name][first]=Tobi')
-      .expect(200, '{"user[name][first]":"Tobi"}', done)
+      .expect(200, '{"user":{"name":{"first":"Tobi"}}}', done)
   })
 
   describe('with extended option', function () {
@@ -180,7 +180,7 @@ describe('bodyParser.urlencoded()', function () {
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send('user[name][first]=Tobi')
-          .expect(200, '{"user[name][first]":"Tobi"}', done)
+          .expect(200, '{"user":{"name":{"first":"Tobi"}}}', done)
       })
 
       it('should parse multiple key instances', function (done) {
@@ -268,7 +268,7 @@ describe('bodyParser.urlencoded()', function () {
       it('should parse deep object', function (done) {
         var str = 'foo'
 
-        for (var i = 0; i < 500; i++) {
+        for (var i = 0; i < 32; i++) {
           str += '[p]'
         }
 
@@ -286,13 +286,85 @@ describe('bodyParser.urlencoded()', function () {
             var depth = 0
             var ref = obj.foo
             while ((ref = ref.p)) { depth++ }
-            assert.strictEqual(depth, 500)
+            assert.strictEqual(depth, 32)
           })
           .expect(200, done)
       })
     })
   })
 
+  describe('with depth option', function () {
+    describe('when custom value set', function () {
+      it('should reject non possitive numbers', function () {
+        assert.throws(createServer.bind(null, { extended: true, depth: -1 }),
+          /TypeError: option depth must be a zero or a positive number/)
+        assert.throws(createServer.bind(null, { extended: true, depth: NaN }),
+          /TypeError: option depth must be a zero or a positive number/)
+        assert.throws(createServer.bind(null, { extended: true, depth: 'beep' }),
+          /TypeError: option depth must be a zero or a positive number/)
+      })
+
+      it('should parse up to the specified depth', function (done) {
+        this.server = createServer({ extended: true, depth: 10 })
+        request(this.server)
+          .post('/')
+          .set('Content-Type', 'application/x-www-form-urlencoded')
+          .send('a[b][c][d]=value')
+          .expect(200, '{"a":{"b":{"c":{"d":"value"}}}}', done)
+      })
+
+      it('should not parse beyond the specified depth', function (done) {
+        this.server = createServer({ extended: true, depth: 1 })
+        request(this.server)
+          .post('/')
+          .set('Content-Type', 'application/x-www-form-urlencoded')
+          .send('a[b][c][d][e]=value')
+          .expect(400, '[querystring.parse.rangeError] The input exceeded the depth', done)
+      })
+    })
+
+    describe('when default value', function () {
+      before(function () {
+        this.server = createServer({ })
+      })
+
+      it('should parse deeply nested objects', function (done) {
+        var deepObject = 'a'
+        for (var i = 0; i < 32; i++) {
+          deepObject += '[p]'
+        }
+        deepObject += '=value'
+
+        request(this.server)
+          .post('/')
+          .set('Content-Type', 'application/x-www-form-urlencoded')
+          .send(deepObject)
+          .expect(function (res) {
+            var obj = JSON.parse(res.text)
+            var depth = 0
+            var ref = obj.a
+            while ((ref = ref.p)) { depth++ }
+            assert.strictEqual(depth, 32)
+          })
+          .expect(200, done)
+      })
+
+      it('should not parse beyond the specified depth', function (done) {
+        var deepObject = 'a'
+        for (var i = 0; i < 33; i++) {
+          deepObject += '[p]'
+        }
+        deepObject += '=value'
+
+        request(this.server)
+          .post('/')
+          .set('Content-Type', 'application/x-www-form-urlencoded')
+          .send(deepObject)
+          .expect(400, '[querystring.parse.rangeError] The input exceeded the depth', done)
+      })
+    })
+  })
+
   describe('with inflate option', function () {
     describe('when false', function () {
       before(function () {