Allow setting of qs depth option about body-parser HOT 5 CLOSED

Hi! This has, of course, been brought up many times :) Currently the answer is you'll never be able to set options in urlencoded that do not apply to both extended and non-extended parsers (depth would not apply to the non-extended version). The option to use qs module is called "extended" instead of "parser: qs" because it is not meant to show any detail of the parser module used in the end (and, in fact, this saved us in being able to upgrade the qs parser for a security fix without requiring a major version bump in this module).

Version 2.0 of the module will, however, allow you to use whatever parsing function you desire, which would mean you could make your own custom parsing function that uses qs with whatever option (like depth) you wanted without support from this module needing to be built-in.

For now, I'm going to close the issue, as the direct request will never be added here, but in 2.0 you'll have an indirect solution, unlike the current version.

from body-parser.

Oh, and of course if you're wondering, until 2.0, the current work-around would be to think about why you are even providing such a deep structure as urlencoded and not as JSON and perhaps simply use JSON (which will parse your structure > 50x faster), you can use the urlencoded({ extended: false }) and then pass req.body through qs yourself to expand it with your custom depth, or you can use a module like raw-body to capture the body and run that through qs.

from body-parser.

The 2.0 approach sounds good. Arbitrary parse functions will be useful and give access to the underlying parser at the level we would need to fix this deep-nesting issue.

Sorry for the dup, I must have searched incorrectly for previous issues. This is a pretty opaque gotcha with the qs module, you might want to make it an example for new users. And yep, we solved this by switching to application/json - but I felt to be responsible I should report what I found :)

from body-parser.

Sorry for the dup, I must have searched incorrectly for previous issues.

It's no problem--I have done the same thing myself in other projects, so it's certainly fine :)

This is a pretty opaque gotcha with the qs module

Yea, it is. I believe it came about because it was too easy to make a really deep structure without much effort from the client, but, I mean, you can do that with JSON, so I'm not sure what the real benefit of making the default low is, other than perhaps nudging people to say they may really want to be using JSON ;) I may even decide to up that limit with this module (I have some other qs limit turned higher in this module already).

you might want to make it an example for new users.

This is true, though it's hard to really give them an example until the module supports it :) I may certainly write it down as an example of using the newer "custom parse functionality" stuff, though.

but I felt to be responsible I should report what I found :)

Once again, it's no problem :)

from body-parser.

Version 1.11.0 doesn't allow you to set the depth, but there is no longer a limit, so it's not necessary to control the value.

from body-parser.