api-query-params icon indicating copy to clipboard operation
api-query-params copied to clipboard
verified publisher icon loris

White list not work on advanced filter object

Open ngdnghia28 opened this issue 5 years ago • 2 comments 

import * as aqp from 'api-query-params';

const query = aqp('filter={"$or":[{"key1":"value1"},{"key2":"value2"}]}', {
    whitelist: ['key1']
});
console.log(JSON.stringify(query, null, 2));

Will print out:

{
  "filter": {
    "$or": [
      {
        "key1": "value1"
      },
      {
        "key2": "value2"
      }
    ]
  }
}

Expected result:

{
  "filter": {
    "$or": [
      {
        "key1": "value1"
      }
    ]
  }
}

ngdnghia28 avatar Dec 30 '20 08:12 ngdnghia28

Hi @ngdnghia28 I'm not so sure how to handle your request safely. As the filter query param is not traversed (because it's structure is totally unknown to the library) but simply JSON parsed. It can be tricky to exclude/include keys since the keys position can be deep in the JSON tree (if you combine $and, $or, $elemMatch, etc operators) Any idea?

loris avatar Oct 26 '21 15:10 loris

Isn't it possible to recursively traverse the object, and if a key is not started with a $ sign, and is not in the whitelist array, then remove it? I'm not sure of other edge cases it might have, but it seems possible

molaeiali avatar Jan 08 '23 10:01 molaeiali