From 11f900085ef609d5319d6783d8a92d78b090d28d Mon Sep 17 00:00:00 2001
From: David Janas <davidjanasr@gmail.com>
Date: Thu, 13 Aug 2020 12:35:38 -0400
Subject: [PATCH] Increase parser arrayLimit to 100 (#7430)

* Add queryStringParser settings to parser middleware

Signed-off-by: David Janas <davidjanasr@gmail.com>

* add queryStringParser config to middleware documentation

Signed-off-by: David Janas <davidjanasr@gmail.com>
---
 docs/v3.x/concepts/middlewares.md                    |  3 +++
 packages/strapi/lib/middlewares/parser/defaults.json |  6 +++++-
 packages/strapi/lib/middlewares/parser/index.js      | 10 +++++-----
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/docs/v3.x/concepts/middlewares.md b/docs/v3.x/concepts/middlewares.md
index 8067049f99..2fe6f0ae80 100644
--- a/docs/v3.x/concepts/middlewares.md
+++ b/docs/v3.x/concepts/middlewares.md
@@ -170,6 +170,9 @@ The following middlewares cannot be disabled: responses, router, logger and boom
   - `multipart` (boolean): Enable or disable multipart bodies parsing. Default value: `true`.
   - `jsonLimit` (string|integer): The byte (if integer) limit of the JSON body. Default value: `1mb`.
   - `formLimit` (string|integer): The byte (if integer) limit of the form body. Default value: `56k`.
+  - `queryStringParser` (see [qs](https://github.com/ljharb/qs) for a full list of options).
+    - `arrayLimit` (integer): the maximum length of an array in the query string. Any array members with an index of greater than the limit will instead be converted to an object with the index as the key. Default value: `100`.
+    - `depth` (integer): maximum parsing depth of nested query string objects. Default value: `20`.
 
 ::: tip
 The session doesn't work with `mongo` as a client. The package that we should use is broken for now.
diff --git a/packages/strapi/lib/middlewares/parser/defaults.json b/packages/strapi/lib/middlewares/parser/defaults.json
index 5ba1b76c99..367e1f0fc5 100644
--- a/packages/strapi/lib/middlewares/parser/defaults.json
+++ b/packages/strapi/lib/middlewares/parser/defaults.json
@@ -1,6 +1,10 @@
 {
   "parser": {
     "enabled": true,
-    "multipart": true
+    "multipart": true,
+    "queryStringParser": {
+      "arrayLimit": 100,
+      "depth": 20
+    }
   }
 }
diff --git a/packages/strapi/lib/middlewares/parser/index.js b/packages/strapi/lib/middlewares/parser/index.js
index 7f5c03a4bf..8ab706e5c8 100644
--- a/packages/strapi/lib/middlewares/parser/index.js
+++ b/packages/strapi/lib/middlewares/parser/index.js
@@ -2,11 +2,12 @@
 
 const body = require('koa-body');
 const qs = require('qs');
+const { omit } = require('lodash');
 
 /**
  * Body parser hook
  */
-const addQsParser = app => {
+const addQsParser = (app, settings) => {
   Object.defineProperty(app.request, 'query', {
     configurable: false,
     enumerable: true,
@@ -16,7 +17,7 @@ const addQsParser = app => {
     get() {
       const qstr = this.querystring;
       const cache = (this._querycache = this._querycache || {});
-      return cache[qstr] || (cache[qstr] = qs.parse(qstr, { depth: 20 }));
+      return cache[qstr] || (cache[qstr] = qs.parse(qstr, settings));
     },
 
     /*
@@ -40,14 +41,13 @@ module.exports = strapi => {
         // disable for graphql
         // TODO: find a better way later
         if (ctx.url === '/graphql') return next();
-
         return body({
           patchKoa: true,
-          ...strapi.config.middleware.settings.parser,
+          ...omit(strapi.config.middleware.settings.parser, 'queryStringParser'),
         })(ctx, next);
       });
 
-      addQsParser(strapi.app);
+      addQsParser(strapi.app, strapi.config.get('middleware.settings.parser.queryStringParser'));
     },
   };
 };