🩹 Fix: handle un-matched open brackets in the query params (#3121)

* Add logic for counting open brackets * Add UTs * update increment/decrement syntax with ++/-- * Update UT to remove duplicate
2024-09-06 11:32:02 +05:30 · 2024-09-06 11:32:02 +05:30 · cb06bc5f4c
parent bfcf91dab8
commit cb06bc5f4c
2 changed files with 25 additions and 4 deletions
--- a/ctx.go
+++ b/ctx.go
@ -1306,15 +1306,24 @@ func parseParamSquareBrackets(k string) (string, error) {
 	defer bytebufferpool.Put(bb)

 	kbytes := []byte(k)
+	openBracketsCount := 0

 	for i, b := range kbytes {
-		if b == '[' && kbytes[i+1] != ']' {
-			if err := bb.WriteByte('.'); err != nil {
-				return "", fmt.Errorf("failed to write: %w", err)
+		if b == '[' {
+			openBracketsCount++
+			if i+1 < len(kbytes) && kbytes[i+1] != ']' {
+				if err := bb.WriteByte('.'); err != nil {
+					return "", fmt.Errorf("failed to write: %w", err)
+				}
 			}
+			continue
 		}

-		if b == '[' || b == ']' {
+		if b == ']' {
+			openBracketsCount--
+			if openBracketsCount < 0 {
+				return "", errors.New("unmatched brackets")
+			}
 			continue
 		}

@ -1323,6 +1332,10 @@ func parseParamSquareBrackets(k string) (string, error) {
 		}
 	}

+	if openBracketsCount > 0 {
+		return "", errors.New("unmatched brackets")
+	}
+
 	return bb.String(), nil
 }

--- a/ctx_test.go
+++ b/ctx_test.go
@ -4508,6 +4508,10 @@ func Test_Ctx_QueryParser(t *testing.T) {
 	utils.AssertEqual(t, nil, c.QueryParser(empty))
 	utils.AssertEqual(t, 0, len(empty.Hobby))

+	c.Request().URI().SetQueryString("id=1&name[=tom")
+	q = new(Query)
+	utils.AssertEqual(t, "unmatched brackets", c.QueryParser(q).Error())
+
 	type Query2 struct {
 		Bool            bool
 		ID              int
@ -4790,6 +4794,10 @@ func Test_Ctx_QueryParser_Schema(t *testing.T) {
 	utils.AssertEqual(t, "doe", cq.Data[1].Name)
 	utils.AssertEqual(t, 12, cq.Data[1].Age)

+	c.Request().URI().SetQueryString("data[0][name]=john&data[0][age]=10&data[1]name]=doe&data[1][age]=12")
+	cq = new(CollectionQuery)
+	utils.AssertEqual(t, "unmatched brackets", c.QueryParser(cq).Error())
+
 	c.Request().URI().SetQueryString("data.0.name=john&data.0.age=10&data.1.name=doe&data.1.age=12")
 	cq = new(CollectionQuery)
 	utils.AssertEqual(t, nil, c.QueryParser(cq))