Weird req.query behavior

[VladimirMikulic]

Hi! I recently encountered an interesting case of how query string shows up in req.query in my logs.

Normal call: https://some-api.com/?tags=tag1,tag2,tag3

{
  tags: "tag1,tag2,tag3"
}

Weird/potentially dangerous: https://some-api.com/?tags=tag1,tag2,tag3&tags[i]=tag4 <- notice this tags[i]=<value>

Here's how the req.query looks like:

{
  tags: ["tag1", "tag2", "tag3", { i: "tag" }]
}

I would expect tags to be a string just like in normal call.
It shouldn't suddenly turn to an array with strings and an object at the end.

[dougwilson]

Hi @VladimirMikulic yes, this is the expected behavior. You can find that in our documentation about req.query (http://expressjs.com/en/api.html#req.query) and the query parser setting http://expressjs.com/en/api.html#app.settings.table

You can change the behavior with that above query parser setting. You likely want the simple parser rather than the extended parser. The main difference is that extended uses the qs module and simple uses the Node.js querystring module (both linked from our docs).

I hope that helps!

[VladimirMikulic]

Thank you for a fast reply, @dougwilson! That makes sense.