From db94f7391ad0a16dcfcba8b9be1af385b25c42db Mon Sep 17 00:00:00 2001
From: dahyun <tiggerhyun@gmail.com>
Date: Thu, 2 Mar 2017 16:47:06 +0900
Subject: [PATCH] feat: Improve fetchParams

* Add geo-info to extra options
* protect against HTTP Parameter Pollution attacks
* Add int, float type options for parameters
---
 lib/fetchParams.js | 48 ++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 40 insertions(+), 8 deletions(-)

diff --git a/lib/fetchParams.js b/lib/fetchParams.js
index 1c71478..76e9c99 100644
--- a/lib/fetchParams.js
+++ b/lib/fetchParams.js
@@ -8,15 +8,21 @@ var TYPE_DELIMETER = ':'
   , extraOption;
 
 function getValue(req, keyName) {
+  var value;
+
   if (req.params && req.params[keyName] !== undefined) {
-    return req.params[keyName];
+    value = req.params[keyName];
   } else if (req.body && req.body[keyName] !== undefined) {
-    return req.body[keyName];
+    value = req.body[keyName];
   } else if (req.query && req.query[keyName] !== undefined) {
-    return req.query[keyName];
-  } else {
-    return undefined;
+    value = req.query[keyName];
+  }
+
+  if (Array.isArray(value)) {
+    value = value[value.length - 1];
   }
+
+  return value;
 }
 
 function getPath(req, keyName) {
@@ -117,6 +123,17 @@ function getOptionalParams(req, option_expressions) {
 
     val = getFunc(req, key);
 
+    var typeMap = {
+      int: parseInt,
+      float: parseFloat,
+      number: parseFloat
+    };
+
+    var idx = Object.keys(typeMap).indexOf(keyInfo.type);
+    if (idx >= 0) {
+      options[key] = typeMap[keyInfo.type](val);
+    }
+
     if (keyInfo.type === 'number') {
       if (val !== undefined && val !== '')
         options[key] = parseFloat(val);
@@ -178,7 +195,7 @@ function requiredParameter(req, required_expressions) {
     , key
     , val;
 
-  for (var i = 0, li = required_expressions.length; i <li ; i++) {
+  for (var i = 0, li = required_expressions.length; i < li; i++) {
     var keyInfo;
     try {
       keyInfo = getRequiredKeyInfo(required_expressions[i]);
@@ -196,13 +213,28 @@ function requiredParameter(req, required_expressions) {
       getFunc = getValue;
 
     val = getFunc(req, key);
-    if (keyInfo.type === 'number') {
+
+    var typeMap = {
+      int: parseInt,
+      float: parseFloat,
+      number: parseFloat
+    };
+
+    var idx = Object.keys(typeMap).indexOf(keyInfo.type);
+    if (idx >= 0) {
       if (isNaN(val)) {
         err = new Error('The parameter value is not a number : ' + key);
         err.code = 400;
         break;
       }
-      options[key] = parseFloat(val);
+
+      if (keyInfo.type == 'int' && !_.isSafeInteger(val)) {
+        err = new Error('The parameter value is not a integer : ' + key);
+        err.code = 400;
+        break;
+      }
+
+      options[key] = typeMap[keyInfo.type](val);
     } else {
       options[key] = val;
     }