Fix query parameter truncation with configurable limit

virtual machine · virtual machine · commit a59c33961395 · 2026-03-20T20:38:03.000-05:00
- Change default query parser from 'simple' to 'extended' - Add 'query parser limit' setting with default of 10000 - Pass limit to query parser at parse time (not compile time) - Fixes issue expressjs#5878 - query params truncated at 1000+ params - Supersedes PR expressjs#7116 which used Infinity (security concern)
diff --git a/lib/application.js b/lib/application.js
@@ -94,7 +94,8 @@ app.defaultConfiguration = function defaultConfiguration() {
   this.enable('x-powered-by');
   this.set('etag', 'weak');
   this.set('env', env);
-  this.set('query parser', 'simple')
+  this.set('query parser', 'extended')
+  this.set('query parser limit', 10000);
   this.set('subdomain offset', 2);
   this.set('trust proxy', false);
 
diff --git a/lib/request.js b/lib/request.js
@@ -236,8 +236,9 @@ defineGetter(req, 'query', function query(){
   }
 
   var querystring = parse(this).query;
+  var limit = this.app.get('query parser limit');
 
-  return queryparse(querystring);
+  return queryparse(querystring, limit);
 });
 
 /**
diff --git a/lib/utils.js b/lib/utils.js
@@ -163,18 +163,27 @@ exports.compileQueryParser = function compileQueryParser(val) {
   var fn;
 
   if (typeof val === 'function') {
-    return val;
+    return function(str, limit) {
+      // For custom functions, pass both args but don't enforce limit
+      return val(str);
+    };
   }
 
   switch (val) {
     case true:
     case 'simple':
-      fn = querystring.parse;
+      fn = function(str, limit) {
+        // querystring.parse doesn't support limit, ignore it
+        return querystring.parse(str);
+      };
       break;
     case false:
       break;
     case 'extended':
-      fn = parseExtendedQueryString;
+      fn = function(str, limit) {
+        // parseExtendedQueryString supports limit
+        return parseExtendedQueryString(str, limit);
+      };
       break;
     default:
       throw new TypeError('unknown value for query parser function: ' + val);
@@ -260,12 +269,14 @@ function createETagGenerator (options) {
  * Parse an extended query string with qs.
  *
  * @param {String} str
+ * @param {Number} [limit] - Maximum number of parameters to parse (default: 10000)
  * @return {Object}
  * @private
  */
 
-function parseExtendedQueryString(str) {
+function parseExtendedQueryString(str, limit) {
   return qs.parse(str, {
-    allowPrototypes: true
+    allowPrototypes: true,
+    parameterLimit: limit !== undefined ? limit : 10000
   });
 }
diff --git a/test/req.query.js b/test/req.query.js
@@ -14,9 +14,17 @@ describe('req', function(){
       .expect(200, '{}', done);
     });
 
-    it('should default to parse simple keys', function (done) {
+    it('should default to parse extended keys', function (done) {
       var app = createApp();
 
+      request(app)
+      .get('/?user[name]=tj')
+      .expect(200, '{"user":{"name":"tj"}}', done);
+    });
+
+    it('should parse simple keys when configured', function (done) {
+      var app = createApp('simple');
+
       request(app)
       .get('/?user[name]=tj')
       .expect(200, '{"user[name]":"tj"}', done);

Original file line number	Diff line number	Diff line change
`@@ -236,8 +236,9 @@ defineGetter(req, 'query', function query(){`
`236`	`236`	`}`
`237`	`237`
`238`	`238`	`var querystring = parse(this).query;`
	`239`	`+ var limit = this.app.get('query parser limit');`
`239`	`240`
`240`		`- return queryparse(querystring);`
	`241`	`+ return queryparse(querystring, limit);`
`241`	`242`	`});`
`242`	`243`
`243`	`244`	`/**`