fix: harden type checks for buildFormUrlEncodedPayload (#5811)

2026-06-16 04:11:29 +00:00 · 2025-10-16 13:31:13 +05:30
parent 4c3a9928bc
commit 2becf49542
3 changed files with 33 additions and 2 deletions
--- a/packages/bruno-cli/src/utils/form-data.js
+++ b/packages/bruno-cli/src/utils/form-data.js
@@ -8,9 +8,14 @@ const path = require('path');
 * @returns {string} Returns a order respecting standard compliant string of form encoded values
 */
 const buildFormUrlEncodedPayload = (params) => {
+  if (typeof params !== 'object') return '';
+  if (!Array.isArray(params)) return '';
  const resultParams = new URLSearchParams();
  for (const param of params) {
-    resultParams.append(param.name, param.value);
+    // Invalid items are ignored
+    if (typeof param !== 'object') continue;
+    if (!('name' in param)) continue;
+    resultParams.append(param.name, param.value ?? '');
  }
  return resultParams.toString();
 };
--- a/packages/bruno-electron/src/utils/form-data.js
+++ b/packages/bruno-electron/src/utils/form-data.js
@@ -8,9 +8,14 @@ const path = require('path');
 * @returns {string} Returns a order respecting standard compliant string of form encoded values
 */
 const buildFormUrlEncodedPayload = (params) => {
+  if (typeof params !== 'object') return '';
+  if (!Array.isArray(params)) return '';
  const resultParams = new URLSearchParams();
  for (const param of params) {
-    resultParams.append(param.name, param.value);
+    // Invalid items are ignored
+    if (typeof param !== 'object') continue;
+    if (!('name' in param)) continue;
+    resultParams.append(param.name, param.value ?? '');
  }
  return resultParams.toString();
 };
--- a/packages/bruno-electron/tests/network/prepare-request.spec.js
+++ b/packages/bruno-electron/tests/network/prepare-request.spec.js
@@ -58,6 +58,27 @@ describe('prepare-request: prepareRequest', () => {
      const result = buildFormUrlEncodedPayload(requestObj);
      expect(result).toEqual(expected);
    });
+
+    it('returns empty string when params is not an object', () => {
+      expect(buildFormUrlEncodedPayload(null)).toEqual('');
+      expect(buildFormUrlEncodedPayload('string')).toEqual('');
+      expect(buildFormUrlEncodedPayload(123)).toEqual('');
+      expect(buildFormUrlEncodedPayload(undefined)).toEqual('');
+    });
+
+    it('ignores invalid items inside params array', () => {
+      const requestObj = [
+        { name: 'item1', value: 'a' },
+        'not-an-object',
+        { value: 'missingName' },
+        42,
+        { name: 'item2', value: 'b' },
+        { name: 'item3' }
+      ];
+      const expected = 'item1=a&item2=b&item3=';
+      const result = buildFormUrlEncodedPayload(requestObj);
+      expect(result).toEqual(expected);
+    });
  });

  describe.each(['POST', 'PUT', 'PATCH'])('POST request with no body', (method) => {