properly parse query string

flyerhzm · flyerhzm · commit 5723105e3142 · 2025-04-21T14:27:30.000+08:00
diff --git a/lib/bullet/rack.rb b/lib/bullet/rack.rb
@@ -2,6 +2,7 @@
 
 require 'rack/request'
 require 'json'
+require 'cgi'
 
 module Bullet
   class Rack
@@ -85,17 +86,20 @@ def skip_html_injection?(request)
       query_string = request.env['QUERY_STRING']
       return false if query_string.nil? || query_string.empty?
 
-      if defined?(::Rack::QueryParser)
-        parser = ::Rack::QueryParser.new
-        params = parser.parse_nested_query(query_string)
-      else
-        # compatible with rack 1.x,
-        # remove it after dropping rails 4.2 suppport
-        params = ::Rack::Utils.parse_nested_query(query_string)
-      end
+      params = simple_parse_query_string(query_string)
       params['skip_html_injection'] == 'true'
     end
 
+    # Simple query string parser
+    def simple_parse_query_string(query_string)
+      params = {}
+      query_string.split('&').each do |pair|
+        key, value = pair.split('=', 2).map { |s| CGI.unescape(s) }
+        params[key] = value if key && !key.empty?
+      end
+      params
+    end
+
     def file?(headers)
       headers['Content-Transfer-Encoding'] == 'binary' || headers['Content-Disposition']
     end
diff --git a/spec/bullet/rack_spec.rb b/spec/bullet/rack_spec.rb
@@ -33,6 +33,40 @@ module Bullet
       end
     end
 
+    context '#skip_html_injection?' do
+      let(:request) { double('request') }
+
+      it 'should return false if query_string is nil' do
+        allow(request).to receive(:env).and_return({ 'QUERY_STRING' => nil })
+        expect(middleware.skip_html_injection?(request)).to be_falsey
+      end
+
+      it 'should return false if query_string is empty' do
+        allow(request).to receive(:env).and_return({ 'QUERY_STRING' => '' })
+        expect(middleware.skip_html_injection?(request)).to be_falsey
+      end
+
+      it 'should return true if skip_html_injection parameter is true' do
+        allow(request).to receive(:env).and_return({ 'QUERY_STRING' => 'skip_html_injection=true' })
+        expect(middleware.skip_html_injection?(request)).to be_truthy
+      end
+
+      it 'should return false if skip_html_injection parameter is not true' do
+        allow(request).to receive(:env).and_return({ 'QUERY_STRING' => 'skip_html_injection=false' })
+        expect(middleware.skip_html_injection?(request)).to be_falsey
+      end
+
+      it 'should return false if skip_html_injection parameter is not present' do
+        allow(request).to receive(:env).and_return({ 'QUERY_STRING' => 'other_param=value' })
+        expect(middleware.skip_html_injection?(request)).to be_falsey
+      end
+
+      it 'should handle complex query strings' do
+        allow(request).to receive(:env).and_return({ 'QUERY_STRING' => 'param1=value1&skip_html_injection=true&param2=value2' })
+        expect(middleware.skip_html_injection?(request)).to be_truthy
+      end
+    end
+
     context 'empty?' do
       it 'should be false if response is a string and not empty' do
         response = double(body: '<html><head></head><body></body></html>')
