LGTM.com - false positive [Node.JS Express]

[asportnoy]

The error is saying that the query parameter could be either a string or an array, which could allow users to bypass sanitizing/validation. However, I have validation middleware which checks the type and ensures it is not an array. If I open that route with the query string specified multiple times (which is what would cause it to be an array), the validator correctly sends me an error and prevents the flagged code from running.

LGTM page
Code

[aeisenberg]

Thank you for raising this issue. It looks like you have defined a sanitizer on line 46, but the queries are not recognizing it. Since this is security related, the team maintaining the javascript libraries will be interested. I will let them know. However, I am not sure if there is much they can do.

lgtm.com has facilities for suppressing individual alerts or disabling a query. This may be the most efficient option for you.