Comments (11)
in the future, extended should be replaced by something like parse: qs.parse
where parse
is an actual function or something. then people could wrap qs.parse()
with a function and their own options.
unless you want to support options. i'm not sure waht to call it. maybe just pass options
itself to it? it's not like we'd support qs
forever, so i'd rather not namespace the options to avoid api changes
from body-parser.
+1 for accepting parse
option with actual parser-function.
from body-parser.
@lazutkin please check open issues first :) #41 is already about this. That issue had me open an issue with qs
and then until yesterday, it wasn't even possible to change the limits in qs
.
I would have had the options added in yesterday, but I can only work so fast between home and the hospital :)
@jonathanong it won't really work, especially since the core querystring
module doesn't accept the options as an options object, but rather three different arguments (ugh). We will support qs
forever because everyone seems to use it. If you look at the urlencoded
code, you can see it does like nothing, so accepting a parsing option is dumb; #22 would be the real solution to using your own query string parser.
from body-parser.
So as a FYI here, I implemented something that would allow changing the parameterLimit
for qs
, but it turned out that it doesn't make sense, because just giving the module 2000 parameters to parse (the default is a 1000 limit), it takes ~1710ms to parse. This means qs
pretty much tops out at 1000 parameters (which takes 80ms to parse).
from body-parser.
Heh, pretty long time)) Nevertheless, I think that it depends on projects so at least users should have a way to change options for what is appropriate to projects.
from body-parser.
This module only works with web servers, and you cannot hang you web server for 2s, so no. You can always directly use qs or, since I submitted the slowness report to the qs owners, if it is fixed I will allow increasing it here.
Also note, I am taking about parameterLimit here, not arrayLimit like your original post was about. I don't let have any problems letting people change that option (doing some tests first to figure out a max. This limit is what prevents a DoS on servers. Without some limit for this, you can instantly crash a server due to OOM with a tiny packet).
from body-parser.
@lazutkin it looks like qs
is going to land the pref fix.
from body-parser.
So the parameterLimit
configuration has landed. Personally, w.r.t. the arrayLimit
option, I would like to just set it to 0
so arrays just end up as objects always (really, a user can abuse your assumption that the thing is an array by adding a random [foo] to your array). A user can even send you something like a[0]=0&a[2]=2&a[length]=30
and you may think there are 30 items in the array.
from body-parser.
Yes, reasonable!
from body-parser.
@lazutkin since setting it to 0
is not very backwards-compatible at this time, I'm going to up the default value to 50
, over the default of 20
provided by the qs
library. How does that sound?
from body-parser.
The main reason I'm not very keen on allowing directly passing in any options to the underlying query parser is then if the parser itself is switched by this module, it would change the public API of this module. Plus it doesn't allow me to normalize options where the two different parsers will take the same option names (like parameterLimit
, which is maxKeys
for the built-in parser).
from body-parser.
Related Issues (20)
- bodyParser is deprecated HOT 24
- 'bodyParser' function is deprecated in index.d.ts file HOT 1
- HTTP:413 Request Entity Too Large HOT 5
- Conform with express-validator on parameter representation
- bodyParser is deprecated, error HOT 1
- bodyparser.json() shown as deprecated? (question) HOT 7
- pass options to qs thru urlencoded? HOT 4
- Cannot catch SyntaxError when user provides invalid JSON in body and content-type: application/json HOT 3
- Support for content-encoding: deflate raw HOT 7
- req.body could not be accessed when send as form data, but works fine with JSON HOT 3
- Pass custom parameters to `qs` HOT 3
- Update iconv-lite to latest 0.6.3 HOT 7
- support for ndjson
- Regular Expression Denial of Service (ReDoS) in [email protected] HOT 3
- Update `debug` dependency (memory leak leading to vulnerability) HOT 1
- api calls made with invalid json HOT 5
- Add support for removing body parser limit HOT 8
- BadRequestError: request size did not match content length HOT 7
- How to handle content-type mismatch? HOT 1
- CVE-2017-20165 - debug HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from body-parser.