search

apavlidi / IT_API

The Internet services of the IT department of Alexander Technological Education Institute of Thessaloniki
http://api.it.teithe.gr/
MIT License
14 stars 5 forks source link

Query filter should be URL Decoded first #90

Closed iamaldi closed 4 years ago

iamaldi commented 5 years ago

In order for a user to be able to filter a query, the following HTTP Request should be sent

https://api.it.teithe.gr/announcements/public?q={%22title%22:%22newsletter%22}

However, due to the HTTP protocol, all special characters should be URL encoded by the client making the request.

On your endpoint, you are expecting pure JSON string which is not attainable due to the restriction mentioned above. Notice on https://github.com/apavlidi/IT_API/blob/eeb3e0c2090994795faacd38db97fb3122e99acc/routes/apiFunctions.js#L15-L18

that you're not URL Decoding before parsing the JSON.

Remmediation

Use a URL Decode function before parsing JSON

  const querystring = require('querystring');

  if (Object.prototype.hasOwnProperty.call(query, 'q')) {
    formatedQ = JSON.parse(querystring.decode(query.q))
    delete query.q
  }

Note

You can use any other URL decoder, the above one is mentioned purely as an example of remedy code.

jim3692 commented 4 years ago

There is nothing wrong with the current implementation. Express.js automatically parses the query string into an object and stores it in req.query.

apavlidi commented 4 years ago

It seems that @jim3692 is right, I can't see the problem on decoding the params since the code works properly.

@iamaldi please provide any examples of problems that may be caused due to not decoding, and feel free to reopen this issue.