Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate request body from data added to request object #86

Closed
zRosenthal opened this issue Dec 30, 2018 · 1 comment
Closed

Separate request body from data added to request object #86

zRosenthal opened this issue Dec 30, 2018 · 1 comment
Labels
bug

Comments

@zRosenthal
Copy link
Member

Currently data added to the request object via calling the add (or addMultiple) method on an instance of the Request class the data is retrieved the same way as data from the http request
Reason for change:

  • you can not have a request body field with the same key as context data added to the request
  • in certain circumstances this could result in a potential vulnerability in which data can be sent in the request body that otherwise would be assigned based on certain permissions later in the request lifecycle. Ex. you could have a middleware that conditionally adds the CAN_WRITE key to the request object by calling the add method. Someone could simply add the CAN_WRITE key to a request object and there would be no way for the app to distinguish the two. This can be defended by validating the request body and/or always setting the CAN_WRITE flag to false before conditionally assigning it to true

Solution

  • add the following methods to the Request class addToContext, mergeIntoContext, getFromContext and getFromContextOrFail
  • deprecate add and addMultiple
@zRosenthal zRosenthal added the bug label Dec 30, 2018
zRosenthal added a commit to zRosenthal/mindless-1 that referenced this issue Apr 28, 2019
@zRosenthal
test(Request and App): finsih updating request and app classes
52710d5 
add functinality to support future features outlined in issue SpartanLabs#73

re SpartanLabs#86
zRosenthal added a commit that referenced this issue Jul 29, 2019
@zRosenthal
Updates to handling of Requests (#88)
1bc6af3 
* feat(Request and App handler): Add ability for custom request deserialization and improve request ob

BREAKING CHANGE: Request class has changed

* test(Request and App): finsih updating request and app classes

add functinality to support future features outlined in issue #73

re #86

* refactor(request objects): change params, query string, and headers to be es6 maps

BREAKING CHANGE: must now pass headers and query string through as es6 maps

* build(typescript version bump): updated to latest stable typescript version 3.5.x

* docs(rejadme):
@zRosenthal
Copy link
Member Author

addressed in #88

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zRosenthal