hitbox-http 0.2.1

Cacheable HTTP Request and Response
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

//! Query string parsing utilities.
//!
//! Provides [`parse`] for deserializing URL query strings into key-value maps.
//! Used internally by query predicates and extractors.
//!
//! # Supported Syntax
//!
//! - Simple parameters: `key=value`
//! - Multiple parameters: `key1=value1&key2=value2`
//! - Array syntax: `color[]=red&color[]=blue`
//! - Nested parameters: `filter[status]=active` (up to 5 levels deep)
//!
//! # Security
//!
//! Nesting depth is limited to 5 levels to prevent DoS attacks via deeply
//! nested queries that could cause stack overflow or memory exhaustion.
//!
//! # Examples
//!
//! ```
//! use hitbox_http::query::{parse, Value};
//!
//! let params = parse("page=1&limit=10").unwrap();
//! assert_eq!(params.get("page").unwrap().inner(), vec!["1"]);
//!
//! // Array parameters
//! let params = parse("color[]=red&color[]=blue").unwrap();
//! assert_eq!(params.get("color").unwrap().inner(), vec!["red", "blue"]);
//! ```

use serde::Deserialize;
use std::collections::HashMap;

/// Maximum nesting depth for query string parsing.
///
/// Limits structures like `a[b][c][d][e][f]=value` to prevent DoS attacks
/// via deeply nested queries that could cause stack overflow or memory exhaustion.
const MAX_QUERY_DEPTH: usize = 5;

/// A query parameter value, either a single string or an array of strings.
///
/// # Examples
///
/// ```
/// use hitbox_http::query::{parse, Value};
///
/// // Scalar value
/// let params = parse("name=alice").unwrap();
/// assert!(matches!(params.get("name"), Some(Value::Scalar(_))));
///
/// // Array value (using bracket syntax)
/// let params = parse("tags[]=rust&tags[]=http").unwrap();
/// assert!(matches!(params.get("tags"), Some(Value::Array(_))));
/// ```
#[derive(Debug, Deserialize, PartialEq, Eq)]
#[serde(untagged)]
pub enum Value {
    /// A single parameter value.
    Scalar(String),
    /// Multiple values for the same parameter (array syntax).
    Array(Vec<String>),
}

impl Value {
    /// Returns all values as a vector.
    ///
    /// For [`Scalar`](Self::Scalar), returns a single-element vector.
    /// For [`Array`](Self::Array), returns all elements.
    pub fn inner(&self) -> Vec<String> {
        match self {
            Value::Scalar(value) => vec![value.to_owned()],
            Value::Array(values) => values.to_owned(),
        }
    }

    /// Returns `true` if the value contains the given string.
    pub fn contains(&self, value: &String) -> bool {
        self.inner().contains(value)
    }
}

/// Parses a query string into a map of key-value pairs.
///
/// Returns `None` if:
/// - The query string is malformed
/// - Nesting depth exceeds 5 levels
///
/// # Examples
///
/// ```
/// use hitbox_http::query::parse;
///
/// let params = parse("page=1&sort=name").unwrap();
/// assert_eq!(params.get("page").unwrap().inner(), vec!["1"]);
/// assert_eq!(params.get("sort").unwrap().inner(), vec!["name"]);
///
/// // Exceeds depth limit
/// assert!(parse("a[b][c][d][e][f][g]=1").is_none());
/// ```
pub fn parse(value: &str) -> Option<HashMap<String, Value>> {
    serde_qs::Config::new(MAX_QUERY_DEPTH, false)
        .deserialize_str(value)
        .ok()
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_parse_valid_one() {
        let hash_map = parse("key=value").unwrap();
        let value = hash_map.get("key").unwrap();
        assert_eq!(value.inner(), vec!["value"]);
    }

    #[test]
    fn test_parse_valid_multiple() {
        let hash_map = parse("key-one=value-one&key-two=value-two&key-three=value-three").unwrap();
        let value = hash_map.get("key-one").unwrap();
        assert_eq!(value.inner(), vec!["value-one"]);
        let value = hash_map.get("key-two").unwrap();
        assert_eq!(value.inner(), vec!["value-two"]);
        let value = hash_map.get("key-three").unwrap();
        assert_eq!(value.inner(), vec!["value-three"]);
    }

    #[test]
    fn test_parse_not_valid() {
        let hash_map = parse("   wrong   ").unwrap();
        assert_eq!(hash_map.len(), 1);
    }

    #[test]
    fn test_parse_exceeds_depth_returns_none() {
        // Nesting depth exceeds configured limit (5), should return None
        assert!(parse("a[b][c][d][e][f][g]=1").is_none());
    }

    #[test]
    fn test_parse_array_bracket_syntax() {
        // Note: serde_qs only supports bracket syntax for arrays (color[]=a&color[]=b)
        // Repeated keys without brackets (color=a&color=b) are not supported
        let hash_map = parse("color[]=red&color[]=blue&color[]=green").unwrap();
        let value = hash_map.get("color").unwrap();
        assert_eq!(value.inner(), vec!["red", "blue", "green"]);
    }
}