Express middleware to protect against HTTP Parameter Pollution attacks
Let Chetan Karande's slides do the explaining:
...and exploits may allow bypassing the input validation or even result in denial of service.
HPP puts array parameters in req.query and/or req.body aside and just selects the first parameter value. You add the middleware and you are done.
This is a module for node.js and io.js and is installed via npm:
npm install hpp --save
Add the HPP middleware like this:
// ...
var hpp = require('hpp');
// ...
app.use(bodyParser.urlencoded()); // Make sure the body is parsed beforehand.
app.use(hpp()); // <- THIS IS THE NEW LINE
// Add your own middlewares afterwards, e.g.:
app.get('/search', function (req, res, next) { /* ... */ });
// They are safe from HTTP Parameter Pollution now.
req.queryBy default all top-level parameters in req.query are checked for being an array. If a parameter is an array the array is moved to req.queryPolluted and req.query is assigned the first value of the array:
GET /search?firstname=John&firstname=Alice&lastname=Doe
=>
req: {
query: {
firstname: 'John',
lastname: 'Doe',
},
queryPolluted: {
firstname: [ 'John', 'Alice' ]
}
}
Checking req.query may be turned off by using app.use(hpp({ checkQuery: false })).
req.bodyChecking req.body is only done for requests with an urlencoded body. Not for json nor multipart bodies.
By default all top-level parameters in req.body are checked for being an array. If a parameter is an array the array is moved to req.bodyPolluted and req.body is assigned the first value of the array:
POST firstname=John&firstname=Alice&lastname=Doe
=>
req: {
body: {
firstname: 'John',
lastname: 'Doe',
},
bodyPolluted: {
firstname: [ 'John', 'Alice' ]
}
}
Checking req.body may be turned off by using app.use(hpp({ checkBody: false })).
To set up your development environment for HPP:
cd to the main folder,npm install,npm install gulp -g if you haven't installed gulp globally yet, andgulp dev. (Or run node ./node_modules/.bin/gulp dev if you don't want to install gulp globally.)gulp dev watches all source files and if you save some changes it will lint the code and execute all tests. The test coverage report can be viewed from ./coverage/lcov-report/index.html.
If you want to debug a test you should use gulp test-without-coverage to run all tests without obscuring the code by the test coverage instrumentation.
In case you never heard about the ISC license it is functionally equivalent to the MIT license.
See the LICENSE file for details.
FAQs
Express middleware to protect against HTTP Parameter Pollution attacks
The npm package hpp receives a total of 47,455 weekly downloads. As such, hpp popularity was classified as popular.
We found that hpp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.
Security News
NIST's new password guidelines remove periodic changes and special character requirements, focusing on longer, more secure passwords for better authentication practices.