include::../description.adoc[]

== Noncompliant Code Example

When url query parameters are parsed by the https://www.npmjs.com/package/qs[qs] module for instance (it's the case by default with express.js framework) then it's possible to inject objects in the URL:

----
function (req, res) {
  let query = { user: req.query.user, city: req.query.city };

  db.collection("users")
    .find(query) // Noncompliant: http://website/?user=admin&city[%24ne]=
    .toArray((err, docs) => { });
}
----

== Compliant Solution

Make sure to validate the input types to only handle Strings:

----
function (req, res) {
  let query = { user: req.query.user.toString(), city: req.query.city.toString() };

  db.collection("users")
    .find(query) // Compliant
    .toArray((err, docs) => { });
}
----

include::../see.adoc[]
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]