# Improper Handling of Extra Parameters (CWE-235) The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. **Stack:** JavaScript - Prevalence: 中 覆盖 2 种语言 - Impact: 中 建议审查 - Prevention: 已记录 2 个修复示例 **OWASP:** Injection (A03:2021-Injection) - #3 ## Description When applications receive duplicate parameters, they may process them inconsistently, leading to security bypasses or logic errors. Different frameworks may select the first, last, or combine duplicate parameters. ## Prevention 基于 1 条 Shoulder 检测规则的 Improper Handling of Extra Parameters 预防策略。 ### JavaScript Add hpp middleware to normalize duplicate query parameters ## Warning Signs - [LOW] Request parameters used without HPP protection. Express converts duplicate query/body params to arrays, which can bypass - [LOW] missing HTTP Parameter Pollution (HPP) protection in Express ## Consequences - 绕过保护机制 - 修改应用程序数据 ## Mitigations - 为处理重复参数定义并执行策略 - 拒绝包含重复的安全敏感参数的请求 - 使用以一致方式处理重复项的框架 ## Detection - Total rules: 2 - Languages: javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **HTTP Parameter Pollution Prevention in Express.js** [LOW]: Detects missing HTTP Parameter Pollution (HPP) protection in Express.js applications. - Remediation: Option 1 - Add hpp middleware (recommended): npm install hpp const hpp = require('hpp'); app.use(hpp()); Option 2 - Validate parameters manually: const value = Array.isArray(req.query.param) ? req.query.param[0] // Take first value : req.query.param; ### Typescript (1 rules) - **HTTP Parameter Pollution Prevention in Express.js** [LOW]: Detects missing HTTP Parameter Pollution (HPP) protection in Express.js applications. - Remediation: Option 1 - Add hpp middleware (recommended): npm install hpp const hpp = require('hpp'); app.use(hpp()); Option 2 - Validate parameters manually: const value = Array.isArray(req.query.param) ? req.query.param[0] // Take first value : req.query.param;