Express, Querystring parameter limit of req.query
2022-11-19 21:41:53

### Summary

few days ago, i found an interesting logic in req.query() and call the qs module inside req.query(). the qs module limits a number of parameter and default limit number is 1000.

so if we send more than 1000 parameters, server will not read any more after the 1000th parameter.

### Analysis

req.query() method calls qs.parse() method. The arguments of qs.parse() method is val, opts. Val is the value that parseUrl() method parse the value we sent.

and qs.parse() method calls parseValues() function inside.

if you see the parseValues() function, you can see a value called options.parameterLimit. the limit variable is used in cleanStr.split(options.delimiter, limit). in here, cleanStr is the query string we sent. So it means parsing only 1000 query strings.

i wrote a code of express server for testing.

i wrote a PoC that passes over 1000 parameters. as a result of executing the PoC, the parameters up to the 1000th are output, but the pocas parameters of the 1001st are not output

the code above is a PoC that sends 1000 query strings including the pocas parameter. looking at the result, the number of parameters does not exceed 1000, so even pocas are parsed well.

this logic is not important. i just wrote for using it someday

2022-11-19 21:41:53