Throw error when query with wrongly encoded parameter

Marco129 · Marco129 · commit 312d06508552 · 2016-02-17T01:59:58.000+08:00
diff --git a/spec/RestQuery.spec.js b/spec/RestQuery.spec.js
@@ -4,6 +4,9 @@ var cache = require('../src/cache');
 var Config = require('../src/Config');
 var rest = require('../src/rest');
 
+var querystring = require('querystring');
+var request = require('request');
+
 var config = new Config('test');
 var nobody = auth.nobody(config);
 
@@ -92,4 +95,49 @@ describe('rest query', () => {
     }).catch((error) => { console.log(error); });
   });
 
+  it('query with wrongly encoded parameter', (done) => {
+    rest.create(config, nobody, 'TestParameterEncode', {foo: 'bar'}
+    ).then(() => {
+      return rest.create(config, nobody,
+                         'TestParameterEncode', {foo: 'baz'});
+    }).then(() => {
+      var headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest'
+      };
+      request.get({
+        headers: headers,
+        url: 'http://localhost:8378/1/classes/TestParameterEncode?'
+                         + querystring.stringify({
+                             where: '{"foo":{"$ne": "baz"}}',
+                             limit: 1
+                         }).replace('=', '%3D'),
+      }, (error, response, body) => {
+        expect(error).toBe(null);
+        var b = JSON.parse(body);
+        expect(b.code).toEqual(Parse.Error.INVALID_QUERY);
+        expect(b.error).toEqual('Improper encode of parameter');
+        done();
+      });
+    }).then(() => {
+      var headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest'
+      };
+      request.get({
+        headers: headers,
+        url: 'http://localhost:8378/1/classes/TestParameterEncode?'
+                         + querystring.stringify({
+                             limit: 1
+                         }).replace('=', '%3D'),
+      }, (error, response, body) => {
+        expect(error).toBe(null);
+        var b = JSON.parse(body);
+        expect(b.code).toEqual(Parse.Error.INVALID_QUERY);
+        expect(b.error).toEqual('Improper encode of parameter');
+        done();
+      });
+    });
+  });
+
 });
diff --git a/src/Routers/ClassesRouter.js b/src/Routers/ClassesRouter.js
@@ -2,6 +2,8 @@
 import PromiseRouter from '../PromiseRouter';
 import rest from '../rest';
 
+import url from 'url';
+
 export class ClassesRouter {
   // Returns a promise that resolves to a {response} object.
   handleFind(req) {
@@ -33,6 +35,12 @@ export class ClassesRouter {
     if (typeof body.where === 'string') {
       body.where = JSON.parse(body.where);
     }
+
+    let count = typeof body.where === 'object' ? 1 : 0;
+    if (body.length != options.length + count) {
+        throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Improper encode of parameter');
+    }
+
     return rest.find(req.config, req.auth, req.params.className, body.where, options)
       .then((response) => {
         if (response && response.results) {
