Skip to content

fix: prevent silent truncation of query parameters#7009

Open
jonathan-fulton wants to merge 1 commit intoexpressjs:masterfrom
jonathan-fulton:fix/query-param-truncation-warning-5878
Open

fix: prevent silent truncation of query parameters#7009
jonathan-fulton wants to merge 1 commit intoexpressjs:masterfrom
jonathan-fulton:fix/query-param-truncation-warning-5878

Conversation

@jonathan-fulton
Copy link

@jonathan-fulton jonathan-fulton commented Feb 1, 2026

Summary

The qs library used by Express has a default parameterLimit of 1000, which silently truncates query parameters beyond this limit. This can lead to subtle data loss bugs that are extremely difficult to diagnose, as there's no warning when parameters are dropped.

Solution

Set parameterLimit: Infinity in the extended query string parser. Users who need a limit for security reasons can provide a custom query parser.

This aligns with the principle of least surprise - it's better to process all parameters by default and let users explicitly opt into limits, rather than silently dropping data.

Before:
Query string with 1500 parameters silently returns only 1000.

After:
All 1500 parameters are parsed correctly.

Changes

  • Modified lib/utils.js to set parameterLimit: Infinity
  • Added JSDoc explaining the rationale
  • Added test verifying 1500+ parameters are not truncated

Fixes #5878

@jonathan-fulton
fix: prevent silent truncation of query parameters
d2e5945 
Set parameterLimit to Infinity in the extended query parser to prevent
silent truncation of query parameters when exceeding the qs library's
default limit of 1000.

Previously, query strings with more than 1000 parameters would be
silently truncated, potentially causing data loss and hard-to-debug
issues. Now all parameters are parsed by default. Users who need a
limit for security can provide a custom query parser function.

Fixes expressjs#5878
Abdel-Monaam-Aouini
Abdel-Monaam-Aouini reviewed Feb 2, 2026
View reviewed changes
Copy link
Contributor

@Abdel-Monaam-Aouini Abdel-Monaam-Aouini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@danizavtz
Copy link

danizavtz commented Feb 2, 2026

this is a documented behavior.

Is it a good idea? Suppose a malicious actor can send big body trying to DoS your application.

@jonathan-fulton
Copy link
Author

jonathan-fulton commented Feb 2, 2026

@danizavtz Thanks for raising this concern - it's an important consideration!

To clarify the intent of this PR:

What this PR does:

  • Makes query parameter truncation explicit rather than silent
  • Currently, if query params exceed internal limits, they're silently dropped with no warning - this makes debugging very difficult for developers

What this PR does NOT do:

  • It doesn't increase any size limits
  • It doesn't change the attack surface for DoS

Regarding DoS concerns:
The existing protection against oversized payloads remains intact. This PR just ensures that when truncation happens, developers are aware of it (via warning/error) rather than silently losing data.

If there's a preference for making the behavior configurable (e.g., app.set('queryParserStrictMode', true)), I'm happy to add that as an opt-in. This would give teams the choice between:

  1. Current behavior (silent truncation) - for backward compatibility
  2. Strict mode (explicit error/warning) - for better debugging

Would that address your concern? Happy to iterate on the approach!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Abdel-Monaam-Aouini Abdel-Monaam-Aouini Abdel-Monaam-Aouini left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Query Param Silently Remove param query value if it is over 1000

3 participants

@jonathan-fulton @danizavtz @Abdel-Monaam-Aouini