Increase parser arrayLimit to 100 (#7430)

* Add queryStringParser settings to parser middleware Signed-off-by: David Janas <davidjanasr@gmail.com> * add queryStringParser config to middleware documentation Signed-off-by: David Janas <davidjanasr@gmail.com>
2025-08-30 19:56:05 +00:00 · 2020-08-13 12:35:38 -04:00 · 2020-08-13 12:35:38 -04:00 · 11f900085e
commit 11f900085e
parent e3d6ce132e
3 changed files with 13 additions and 6 deletions
--- a/docs/v3.x/concepts/middlewares.md
+++ b/docs/v3.x/concepts/middlewares.md
@ -170,6 +170,9 @@ The following middlewares cannot be disabled: responses, router, logger and boom
  - `multipart` (boolean): Enable or disable multipart bodies parsing. Default value: `true`.
  - `jsonLimit` (string|integer): The byte (if integer) limit of the JSON body. Default value: `1mb`.
  - `formLimit` (string|integer): The byte (if integer) limit of the form body. Default value: `56k`.
+  - `queryStringParser` (see [qs](https://github.com/ljharb/qs) for a full list of options).
+    - `arrayLimit` (integer): the maximum length of an array in the query string. Any array members with an index of greater than the limit will instead be converted to an object with the index as the key. Default value: `100`.
+    - `depth` (integer): maximum parsing depth of nested query string objects. Default value: `20`.

 ::: tip
 The session doesn't work with `mongo` as a client. The package that we should use is broken for now.
--- a/packages/strapi/lib/middlewares/parser/defaults.json
+++ b/packages/strapi/lib/middlewares/parser/defaults.json
@ -1,6 +1,10 @@
 {
  "parser": {
    "enabled": true,
-    "multipart": true
+    "multipart": true,
+    "queryStringParser": {
+      "arrayLimit": 100,
+      "depth": 20
+    }
  }
 }
--- a/packages/strapi/lib/middlewares/parser/index.js
+++ b/packages/strapi/lib/middlewares/parser/index.js
@ -2,11 +2,12 @@

 const body = require('koa-body');
 const qs = require('qs');
+const { omit } = require('lodash');

 /**
 * Body parser hook
 */
-const addQsParser = app => {
+const addQsParser = (app, settings) => {
  Object.defineProperty(app.request, 'query', {
    configurable: false,
    enumerable: true,
@ -16,7 +17,7 @@ const addQsParser = app => {
    get() {
      const qstr = this.querystring;
      const cache = (this._querycache = this._querycache || {});
-      return cache[qstr] || (cache[qstr] = qs.parse(qstr, { depth: 20 }));
+      return cache[qstr] || (cache[qstr] = qs.parse(qstr, settings));
    },

    /*
@ -40,14 +41,13 @@ module.exports = strapi => {
        // disable for graphql
        // TODO: find a better way later
        if (ctx.url === '/graphql') return next();
-
        return body({
          patchKoa: true,
-          ...strapi.config.middleware.settings.parser,
+          ...omit(strapi.config.middleware.settings.parser, 'queryStringParser'),
        })(ctx, next);
      });

-      addQsParser(strapi.app);
+      addQsParser(strapi.app, strapi.config.get('middleware.settings.parser.queryStringParser'));
    },
  };
 };