Can I assume that api requests using nextjs are automatically sanitized and limited, or is security not included with nextjs?
export default async function handler(req, res) { }
Is everything such as req.body and req.query safe and escaped by default? Or will I need to manually sanitize the request
String identifiers like " and ' (" or %27 URL encoded) will be escaped with a backslash, resulting in \' or \".
For SQL queries with parameters wrapped in string identifiers like "SELECT * FROM Users WHERE UserId = '${request.query.id}'" this is enough to prevent an SQL injection.
Related
app.get(/\/example\/(.+)/, (req, res) => {
const url=req.params[0]
})
The URL "/example/test.com?a=1" matches the given regex route, but the capture group does not capture the query string. I know I can obtain the query params using req.query.
But the capture group should have captured the entire test.com?a=1, but it only captures test.com.
I don't understand why this is happening. Am I missing something?
Route strings, whether regex or simple, don't capture query strings (after the ?). You use req.query for that, as you know
They capture parts of the URL path. Therefore, if your url were
https://example.com/a/1
you could write a regex path to capture the 1.
I'm trying to send a request to my Nestjs application, with just plain string in the request body, for example:
test23+Se5+345
Then in my application, I have a middleware, where I need to do something with this string.
The problem is when I access request body in middleware const requestBody = Object.keys(req.body)[0];, this string looks like this:
test23 Se5 345
All of the + symbols are substituted by
I don't have additional convertings before this, and I know that middleware runs first in the request lifecycle. I think maybe there is some issue with body-parser, but I don't know yet how to fix this.
This is because symbol + is treated as space, so before send it, you need to encode your + characters to %2b. More here: How to encode the plus (+) symbol in a URL
I've created an Azure C# HTTP triggered function with a route url: subscriptions/{token}/t. It works fine for urls such as subscriptions/blah/t but it fails with a 404 for parameters that contain encoded slashes: subscriptions/blah%2fblah/t. Any way around this ?
Before we get into debates, {token} is a URL encoded Base64 string which will naturally contain slashes.
This issue seems to persist.
I found out that it can be resolved by double-escaping the string, that is, applying escaping recursively two times.
token = escape(escape(token));
In .NET you can use URI.EsacpeDataString()
In JS you can use encodeURIComponent()
Note, that single escaping does not work reliably with Azure functions
but it fails with a 404 for parameters that contain encoded slashes: subscriptions/blah%2fblah/t.
It is make sense because 'subscriptions/blah%2fblah/t' is equal to 'subscriptions/blah/blah/t'. I suggest you define your own encode rule for slashes. For example, you could convert all the slashes to '[[-]]'. Your token will be like this 'subscriptions/blah[[-]]blah/t'. After received the token, you could convert the special characters back.
token = token.Replace("[[-]]", "/");
I am building an express.js web API and have hit a snag working with our legacy data. We have identity fields on a particular data model that contains lots of different special characters. Here are some of our example ids:
W2220-059AP0254LL%M031
SMT II #12B75984
ST14P134-0110072,9\'98
TKH-12-110?????
So we have an endpoint like: /thing/{id}
Obviously the above examples don't work with this endpoint. I have tried to do URI encoding in our first entrypoint with express but by the time it hits that it is already too late in most cases.
Is there any other way to achieve this?
Try this middleware (before any of your routes):
app.use(function(req, res, next) {
req.url = req.url.replace(/^(\/thing\/)(.+)/, function($0, $1, $2) {
return $1 + encodeURIComponent($2);
});
next();
});
This assumes that all requests to /thing/:id are not properly encoded.
When using Express' URL parameter functionality, it seems that parameters are automatically decoded. That is, percent-encoded entities are resolved to their normal form. %20 is replaced with a space.
However, a plus + is not replaced with a space. This is presumably because Express is using decodeURIComponent() internally, which also does not replace plus + with a space. Simple example code:
app.get('/:sourceFile', function (req, res, next) {
console.log(req.params.sourceFile);
});
If you request /test%20test, then you get test test on the console. If you request /test+test, then you get test+test on the console.
Is there a way to change this mode of operation in Express 4? Is this a bug?
You are trying to use + to represent a space in the "URI part" of your request. You can't do that. A plus sign is translated to a space only in query strings.
It is not a bug. In URI specs (page 12/13 https://www.rfc-editor.org/rfc/rfc3986), plus sign is a reserved character, not meant to be translated as a space.