Skip to content

Allow configuring query parser#7375

Open
fenichelar wants to merge 3 commits intobalderdashy:masterfrom
fenichelar:allow-configuring-query-parser
Open

Allow configuring query parser#7375
fenichelar wants to merge 3 commits intobalderdashy:masterfrom
fenichelar:allow-configuring-query-parser

Conversation

@fenichelar
Copy link
Copy Markdown

@fenichelar fenichelar commented Feb 20, 2026
edited
Loading

Overview

This PR adds a new http configuration to sails called queryParser. If specified, this value is passed directly to express.

A test where queryParser is set to false to disable query parsing has also been added.

Justification

There have been two recently security issues identified in qs:

To address these issues, enforcement of the arrayLimit has been expanded to additional scenarios. The default value for arrayLimit in qs is 20. express does not set the arrayLimit when configuring qs, so the default value is used in express (and therefore sails) query parsing.

Applications that were accepting long (greater than 20) query arrays with previous versions of sails are no longer able to accept these long query arrays.

express does not provide a way to change the arrayLimit value passed to qs, but it does provide the ability to override the query parser with a custom query parser (which could just be qs configured with a larger arrayLimit). However, this configuration of express is not currently accessible to sails applications. This PR makes it accessible.

@sailsbot
Copy link
Copy Markdown

sailsbot commented Feb 20, 2026

Thanks for submitting this pull request, @fenichelar! We'll look at it ASAP.

In the mean time, here are some ways you can help speed things along:

  • discuss this pull request with other contributors and get their feedback. (Reactions and comments can help us make better decisions, anticipate compatibility problems, and prevent bugs.)
  • ask another JavaScript developer to review the files changed in this pull request. (Peer reviews definitely don't guarantee perfection, but they help catch mistakes and enourage collaborative thinking. Code reviews are so useful that some open source projects require a minimum number of reviews before even considering a merge!)
  • if appropriate, ask your business to sponsor your pull request. (Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)
  • make sure you've answered the "why?" (Before we can review and merge a pull request, we feel it is important to fully understand the use case: the human reason these changes are important for you, your team, or your organization.)

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fenichelar @sailsbot