From 06b8157eeae3956e282cea325198d5f2c9c8fdc4 Mon Sep 17 00:00:00 2001
From: Marco129 <marco.website01@gmail.com>
Date: Wed, 17 Feb 2016 02:52:32 +0800
Subject: [PATCH] Throw error when query with wrongly encoded parameter

---
 spec/RestQuery.spec.js       | 48 ++++++++++++++++++++++++++++++++++++
 src/Routers/ClassesRouter.js | 11 +++++++++
 2 files changed, 59 insertions(+)

diff --git a/spec/RestQuery.spec.js b/spec/RestQuery.spec.js
index b93a07d588..279f45f606 100644
--- a/spec/RestQuery.spec.js
+++ b/spec/RestQuery.spec.js
@@ -4,6 +4,9 @@ var cache = require('../src/cache');
 var Config = require('../src/Config');
 var rest = require('../src/rest');
 
+var querystring = require('querystring');
+var request = require('request');
+
 var config = new Config('test');
 var nobody = auth.nobody(config);
 
@@ -92,4 +95,49 @@ describe('rest query', () => {
     }).catch((error) => { console.log(error); });
   });
 
+  it('query with wrongly encoded parameter', (done) => {
+    rest.create(config, nobody, 'TestParameterEncode', {foo: 'bar'}
+    ).then(() => {
+      return rest.create(config, nobody,
+                         'TestParameterEncode', {foo: 'baz'});
+    }).then(() => {
+      var headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest'
+      };
+      request.get({
+        headers: headers,
+        url: 'http://localhost:8378/1/classes/TestParameterEncode?'
+                         + querystring.stringify({
+                             where: '{"foo":{"$ne": "baz"}}',
+                             limit: 1
+                         }).replace('=', '%3D'),
+      }, (error, response, body) => {
+        expect(error).toBe(null);
+        var b = JSON.parse(body);
+        expect(b.code).toEqual(Parse.Error.INVALID_QUERY);
+        expect(b.error).toEqual('Improper encode of parameter');
+        done();
+      });
+    }).then(() => {
+      var headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest'
+      };
+      request.get({
+        headers: headers,
+        url: 'http://localhost:8378/1/classes/TestParameterEncode?'
+                         + querystring.stringify({
+                             limit: 1
+                         }).replace('=', '%3D'),
+      }, (error, response, body) => {
+        expect(error).toBe(null);
+        var b = JSON.parse(body);
+        expect(b.code).toEqual(Parse.Error.INVALID_QUERY);
+        expect(b.error).toEqual('Improper encode of parameter');
+        done();
+      });
+    });
+  });
+
 });
diff --git a/src/Routers/ClassesRouter.js b/src/Routers/ClassesRouter.js
index c9fe9c4834..f13185a2ee 100644
--- a/src/Routers/ClassesRouter.js
+++ b/src/Routers/ClassesRouter.js
@@ -2,11 +2,22 @@
 import PromiseRouter from '../PromiseRouter';
 import rest from '../rest';
 
+import url from 'url';
+
 export class ClassesRouter {
   // Returns a promise that resolves to a {response} object.
   handleFind(req) {
     let body = Object.assign(req.body, req.query);
     let options = {};
+    let allowConstraints = ['skip', 'limit', 'order', 'count', 'keys',
+      'include', 'redirectClassNameForKey', 'where'];
+
+    for (var key in body) {
+      if (allowConstraints.indexOf(key) === -1) {
+        throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Improper encode of parameter');
+      }
+    }
+
     if (body.skip) {
       options.skip = Number(body.skip);
     }