fix: correct off-by-one error in parameterCount (#716)

abhu85 · jonchurch · web-flow · commit 6f24d7e8bcd9 · 2026-04-23T19:22:43.000-04:00
* fix: correct off-by-one error in parameterCount The `parameterCount` function was counting `&` characters but returning that count directly. Since the number of parameters equals the number of `&` characters plus one, this caused an off-by-one error. For example, with `a[0]=1&a[1]=2&...&a[199]=200` (200 parameters): - Before: returned 199 (number of `&` chars) - After: returns 200 (actual parameter count) This bug became visible with qs@6.14.2 which changed `arrayLimit` to restrict array length instead of max index. With the buggy count, large arrays would be converted to objects instead of arrays. - Fix `parameterCount` to return the actual count of parameters Fixes #715 * deps(qs): bump to ~6.14.2 * refactor: use 2.x do/while loop for parameterCount The previous while loop counted '&' separators, so the return value was (parameter count - 1). That happened to work because old qs treated `arrayLimit` as a max-index rather than max-length. The limit check itself was always correct, only the return value was off relative to the function's name. Rather than patch with `+1`, port the 2.x version where `count` directly represents parameter count. The do/while runs once unconditionally for the first parameter (before any '&'), then increments per '&' found. do/while is safe because the caller at line 74 guards empty bodies (`body.length ? queryparse(body) : {}`). If that guard were removed, this would incorrectly return 1 for empty input. Simple parser is unaffected, it only checks for `undefined` and discards the count. Only the extended parser consumed the value, as input to qs's `arrayLimit`. * docs: update HISTORY.md --------- Co-authored-by: Jon Church <me@jonchurch.com>
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,8 @@
 Unreleased
 ===================
 * refactor(json): simplify strict mode error string construction 
+* fix: extended urlencoded parsing of arrays with >100 elements (#716)
+* deps: qs@~6.14.2
 
 1.20.4 / 2025-12-01
 ===================
diff --git a/lib/types/urlencoded.js b/lib/types/urlencoded.js
@@ -206,16 +206,15 @@ function getCharset (req) {
 
 function parameterCount (body, limit) {
   var count = 0
-  var index = 0
+  var index = -1
 
-  while ((index = body.indexOf('&', index)) !== -1) {
+  do {
     count++
-    index++
-
-    if (count === limit) {
+    if (count > limit) {
       return undefined
     }
-  }
+    index = body.indexOf('&', index + 1)
+  } while (index !== -1)
 
   return count
 }
diff --git a/package.json b/package.json
@@ -17,7 +17,7 @@
     "http-errors": "~2.0.1",
     "iconv-lite": "~0.4.24",
     "on-finished": "~2.4.1",
-    "qs": "~6.14.1",
+    "qs": "~6.14.2",
     "raw-body": "~2.5.3",
     "type-is": "~1.6.18",
     "unpipe": "~1.0.0"
