query sanitation is not happening or not mutating req.query object

[mylawacad]

query sanitation is not happening or not mutating req.query object

var express = require('express')
var app = express()
const { query, validationResult } = require('express-validator')

const getUsersList = async (req, res, next) => {
    const validations = [
      query('saitizedParam').trim().escape(),
      query('testLenParam').isLength({ min: 5 }),
      query('textParam').not().isEmpty().trim().escape()
    ]

    await Promise.all(validations.map(validation => validation.run(req)))

    const errors = validationResult(req)
    if (errors.isEmpty()) {
      return next()
    }
    
    res.status(403).json({ error: errors.array() })
  }

app.get('/', getUsersList, function (req, res) {
  const {
    query
  } = req
console.log(query)  
res.status(200).json(query)
})

app.listen(3030)

try sending this:
http://localhost:3030/?saitizedParam=%20%20%20Hello%20world%20:%3E)%20%20%20&testLenParam=qwerty&textParam=123test

console will output the same unsanitized value ie.e Hello world :>) with > and spaces kept

Validator.js version: 6.12.1
Express.js version: 5.0.0-alpha.8
Node.js version: v14.15.5
OS platform: windows

[fedeci]

Does it work with express@4 ?

---

edit: I think it does (ref: expressjs/express#2752). We should mention it in the docs as a FAQ.

[mylawacad]

Does it work with express@4 ?

edit: I think it does (ref: expressjs/express#2752). We should mention it in the docs as a FAQ.

Hi @fedeci

Thank you for taking a look into this. Just tested with express v ^4.17.1 and sanitation works as expected on that version. So whatever that is it is introduced in express v ^5.0.0-alpha.8

Also just updated the initial description with better test example

KR,
Andrew

[fedeci]

We can do nothing until express 5 is still a beta alpha :(

[mylawacad]

@fedeci yes, I tend to agree. Thank you for paying attention

[GSpletty]

FYI as a workaround for this, we've been calling the associated methods from 'validator' directly, this is related to #1075

[fedeci]

Y, that does not mutate the original req object and works👍

[gustavohenke]

express 5 has been coming for so many years.

I don't have too many ideas about how i'd fix this, but one possibility that might appease to some is using matchedData(), which should return data from the express-validator's internal memory, instead of from the request.