🩹 Fix: handle un-matched open brackets in the query params (#3121)

dojutsu-user · web-flow · commit cb06bc5f4cf2 · 2024-09-06T08:02:02.000+02:00
* Add logic for counting open brackets

* Add UTs

* update increment/decrement syntax with ++/--

* Update UT to remove duplicate
diff --git a/ctx.go b/ctx.go
@@ -1306,15 +1306,24 @@ func parseParamSquareBrackets(k string) (string, error) {
 	defer bytebufferpool.Put(bb)
 
 	kbytes := []byte(k)
+	openBracketsCount := 0
 
 	for i, b := range kbytes {
-		if b == '[' && kbytes[i+1] != ']' {
-			if err := bb.WriteByte('.'); err != nil {
-				return "", fmt.Errorf("failed to write: %w", err)
+		if b == '[' {
+			openBracketsCount++
+			if i+1 < len(kbytes) && kbytes[i+1] != ']' {
+				if err := bb.WriteByte('.'); err != nil {
+					return "", fmt.Errorf("failed to write: %w", err)
+				}
 			}
+			continue
 		}
 
-		if b == '[' || b == ']' {
+		if b == ']' {
+			openBracketsCount--
+			if openBracketsCount < 0 {
+				return "", errors.New("unmatched brackets")
+			}
 			continue
 		}
 
@@ -1323,6 +1332,10 @@ func parseParamSquareBrackets(k string) (string, error) {
 		}
 	}
 
+	if openBracketsCount > 0 {
+		return "", errors.New("unmatched brackets")
+	}
+
 	return bb.String(), nil
 }
 
diff --git a/ctx_test.go b/ctx_test.go
@@ -4508,6 +4508,10 @@ func Test_Ctx_QueryParser(t *testing.T) {
 	utils.AssertEqual(t, nil, c.QueryParser(empty))
 	utils.AssertEqual(t, 0, len(empty.Hobby))
 
+	c.Request().URI().SetQueryString("id=1&name[=tom")
+	q = new(Query)
+	utils.AssertEqual(t, "unmatched brackets", c.QueryParser(q).Error())
+
 	type Query2 struct {
 		Bool            bool
 		ID              int
@@ -4790,6 +4794,10 @@ func Test_Ctx_QueryParser_Schema(t *testing.T) {
 	utils.AssertEqual(t, "doe", cq.Data[1].Name)
 	utils.AssertEqual(t, 12, cq.Data[1].Age)
 
+	c.Request().URI().SetQueryString("data[0][name]=john&data[0][age]=10&data[1]name]=doe&data[1][age]=12")
+	cq = new(CollectionQuery)
+	utils.AssertEqual(t, "unmatched brackets", c.QueryParser(cq).Error())
+
 	c.Request().URI().SetQueryString("data.0.name=john&data.0.age=10&data.1.name=doe&data.1.age=12")
 	cq = new(CollectionQuery)
 	utils.AssertEqual(t, nil, c.QueryParser(cq))

Original file line number	Diff line number	Diff line change
`@@ -1306,15 +1306,24 @@ func parseParamSquareBrackets(k string) (string, error) {`
`1306`	`1306`	`defer bytebufferpool.Put(bb)`
`1307`	`1307`
`1308`	`1308`	`kbytes := []byte(k)`
	`1309`	`+ openBracketsCount := 0`
`1309`	`1310`
`1310`	`1311`	`for i, b := range kbytes {`
`1311`		`- if b == '[' && kbytes[i+1] != ']' {`
`1312`		`- if err := bb.WriteByte('.'); err != nil {`
`1313`		`- return "", fmt.Errorf("failed to write: %w", err)`
	`1312`	`+ if b == '[' {`
	`1313`	`+ openBracketsCount++`
	`1314`	`+ if i+1 < len(kbytes) && kbytes[i+1] != ']' {`
	`1315`	`+ if err := bb.WriteByte('.'); err != nil {`
	`1316`	`+ return "", fmt.Errorf("failed to write: %w", err)`
	`1317`	`+ }`
`1314`	`1318`	`}`
	`1319`	`+ continue`
`1315`	`1320`	`}`
`1316`	`1321`
`1317`		`- if b == '[' \|\| b == ']' {`
	`1322`	`+ if b == ']' {`
	`1323`	`+ openBracketsCount--`
	`1324`	`+ if openBracketsCount < 0 {`
	`1325`	`+ return "", errors.New("unmatched brackets")`
	`1326`	`+ }`
`1318`	`1327`	`continue`
`1319`	`1328`	`}`
`1320`	`1329`
`@@ -1323,6 +1332,10 @@ func parseParamSquareBrackets(k string) (string, error) {`
`1323`	`1332`	`}`
`1324`	`1333`	`}`
`1325`	`1334`
	`1335`	`+ if openBracketsCount > 0 {`
	`1336`	`+ return "", errors.New("unmatched brackets")`
	`1337`	`+ }`
	`1338`	`+`
`1326`	`1339`	`return bb.String(), nil`
`1327`	`1340`	`}`
`1328`	`1341`