dafortune / hapi-qs Goto Github PK

We need to enable parsing of multipart/form-data uploads.

Release notes: hapijs/hapi#3871

look for request.setUrl() references in your code and ensure you are only passing valid arguments.
if you use request.setUrl() to override query processing (e.g. using the qs module), consider switching to the much simpler server.options.query.parser option.

I assume this package can be deprecated and alternatively the change to the query parser suggested?

The v18 way would be:

query: {
  parser: (query) => qs.parse(query)
}

This module is currently shown as vulnerable by Node Security checks due to its reliance on a vulnerable version of hoek through the joi dependency.

NSP Security Advisory: https://nodesecurity.io/advisories/566
CVE Advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3728

Parsing can fail.

@jo suggested standard on #8

hapijs/hapi#3658

edit: provided there's any breaking changes related to this plugin -- haven't actually checked.

The payload is set to an object but it should be empty. That causes an error in hapijs/h2o2. To reproduce, here is the minimal setup.

package.json

{
  "name": "hapi-h2o2-error",
  "version": "1.0.0",
  "main": "index.js",
  "dependencies": {
    "good": "^7.0.1",
    "good-console": "^6.1.2",
    "good-squeeze": "^4.0.0",
    "h2o2": "^5.1.0",
    "hapi": "^13.5.0",
    "hapi-qs": "^1.1.1"
  }
}

The index.js:

var Hapi = require('hapi');
var server = new Hapi.Server();

server.connection({host: 'localhost', port: 3000});

server.register([
  require('h2o2'),
  require('hapi-qs'),
  {
    register: require('good'),
    options: {
      reporters: {
        console: [{
          module: 'good-squeeze',
          name: 'Squeeze',
          args: [{log: '*', response: '*'}]
        }, {
          module: 'good-console'
        }, 'stdout']
      }
    }
  }
], (error) => {
  if (error) {
    throw error;
  }

  server.route([  {
    method: 'GET',
    path: '/test',
    handler: {
      proxy: {
        passThrough: true,
        mapUri: (request, callback) => {
          callback(null, 'https://api.github.com/users/ro-ka');
        }
      }
    }
  }]);
});

server.start(error => {
  if (error) {
    throw(error);
  }

  server.log('info', `Server running at: ${server.info.uri}`);
});

I installed good for logging. What causes this error is this header: Content-Type: application/x-www-form-urlencoded. So when using curl, this is what happens:

~ – curl 'http://localhost:3000/test' -H 'Content-Type: application/x-www-form-urlencoded'
{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred"}

~ – curl 'http://localhost:3000/test'
{
  "login": "ro-ka",
  "id": 840022,
  "avatar_url": "https://avatars.githubusercontent.com/u/840022?v=3",
  "gravatar_id": "",
  "url": "https://api.github.com/users/ro-ka",
  …
}

The error only occurs when the header set. The payload is an empty object which breaks the proxy plugin. Can the payload be set to null or an empty string when there is nothing parsed?

It appears that there is a problem with hapi-qs that causes the stripTrailingSlash to not be respected, thus triggering 404 errors for users accessing with a trailing slash.

We must accept both upper and lower case