Express/Connect middleware to protect against HTTP Parameter Pollution attacks
GET /search?firstname=John&firstname=John
req.query.firstname // => ???
It is [ "John", "John" ] ! These excellent slides give you the details.
This library prevents those HTTP Parameter Pollution attacks by putting array parameters in req.query and/or req.body aside and just selecting the first parameter value.
This is a module for node.js and io.js and is installed via npm:
npm install hpp --save
Add the HPP middleware like this:
// ...
var hpp = require('hpp');
// ...
app.use(bodyParser.urlencoded()); // Make sure the body is parsed beforehand.
app.use(hpp()); // <- THIS IS THE NEW LINE
// Add your own middlewares afterwards, e.g.:
app.get('/search', function (req, res, next) { /* ... */ });
// They are safe from HTTP Parameter Pollution now.
req.queryBy default all top-level parameters in req.query are checked for being an array. If a parameter is an array the array is moved to req.queryPolluted and req.query is assigned the first value of the array:
GET /search?firstname=John&firstname=Alice&lastname=Doe
=>
req: {
query: {
firstname: 'John',
lastname: 'Doe',
},
queryPolluted: {
firstname: [ 'John', 'Alice' ]
}
}
Checking req.query may be turned off by using app.use(hpp({ checkQuery: false })).
req.bodyChecking req.body is only done for requests with an urlencoded body. Not for json nor multipart bodies.
By default all top-level parameters in req.body are checked for being an array. If a parameter is an array the array is moved to req.bodyPolluted and req.body is assigned the first value of the array:
POST firstname=John&firstname=Alice&lastname=Doe
=>
req: {
body: {
firstname: 'John',
lastname: 'Doe',
},
bodyPolluted: {
firstname: [ 'John', 'Alice' ]
}
}
Checking req.body may be turned off by using app.use(hpp({ checkBody: false })).
To set up your development environment for HPP:
cd to the main folder,npm install,npm install gulp -g if you haven't installed gulp globally yet, andgulp dev. (Or run node ./node_modules/.bin/gulp dev if you don't want to install gulp globally.)gulp dev watches all source files and if you save some changes it will lint the code and execute all tests. The test coverage report can be viewed from ./coverage/lcov-report/index.html.
If you want to debug a test you should use gulp test-without-coverage to run all tests without obscuring the code by the test coverage instrumentation.
In case you never heard about the ISC license it is functionally equivalent to the MIT license.
See the LICENSE file for details.
FAQs
Express middleware to protect against HTTP Parameter Pollution attacks
The npm package hpp receives a total of 0 weekly downloads. As such, hpp popularity was classified as not popular.
We found that hpp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.