Merge pull request #814 from AikidoSec/empty-strings

hansott · web-flow · commit 2f1cca9b3d35 · 2025-11-10T16:26:02.000+01:00
Don't add empty strings to the context
diff --git a/library/helpers/extractStringsFromUserInput.test.ts b/library/helpers/extractStringsFromUserInput.test.ts
@@ -10,6 +10,10 @@ t.test("empty object returns empty array", async () => {
   t.same(extractStringsFromUserInput({}), fromArr([]));
 });
 
+t.test("empty strings are ignored", async () => {
+  t.same(extractStringsFromUserInput({ abc: "" }), fromArr(["abc"]));
+});
+
 t.test("it can extract query objects", async () => {
   t.same(
     extractStringsFromUserInput({ age: { $gt: "21" } }),
diff --git a/library/helpers/extractStringsFromUserInput.ts b/library/helpers/extractStringsFromUserInput.ts
@@ -42,7 +42,7 @@ export function extractStringsFromUserInput(
     results.add(obj.join());
   }
 
-  if (typeof obj === "string") {
+  if (typeof obj === "string" && obj.length > 0) {
     results.add(obj);
 
     if (obj.includes("%") && obj.length >= 3) {

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ export function extractStringsFromUserInput(`
`42`	`42`	`results.add(obj.join());`
`43`	`43`	`}`
`44`	`44`
`45`		`- if (typeof obj === "string") {`
	`45`	`+ if (typeof obj === "string" && obj.length > 0) {`
`46`	`46`	`results.add(obj);`
`47`	`47`
`48`	`48`	`if (obj.includes("%") && obj.length >= 3) {`