Skip to content
Permalink
Browse files

[security] Prevent overriding of build-in properties by default (#19)

[security] Prevent overriding of build-in properties by default
  • Loading branch information...
3rd-Eden committed Apr 19, 2018
1 parent 0b65759 commit 422eb4f6c7c28ee5f100dcc64177d3b68bb2b080
Showing with 27 additions and 19 deletions.
  1. +3 −6 .travis.yml
  2. +12 −9 index.js
  3. +4 −4 package.json
  4. +8 −0 test.js
@@ -1,13 +1,10 @@
sudo: false
language: node_js
node_js:
- "5"
- "4"
- "0.12"
- "0.10"
- "0.8"
before_install:
- 'if [ "${TRAVIS_NODE_VERSION}" == "0.8" ]; then npm install -g npm@2.14.15; fi'
- "6"
- "8"
- "9"
script:
- "npm run test-travis"
after_script:
@@ -25,15 +25,18 @@ function querystring(query) {
, result = {}
, part;

//
// Little nifty parsing hack, leverage the fact that RegExp.exec increments
// the lastIndex property so we can continue executing this loop until we've
// parsed all results.
//
for (;
part = parser.exec(query);
result[decode(part[1])] = decode(part[2])
);
while (part = parser.exec(query)) {
var key = decode(part[1])
, value = decode(part[2]);

//
// Prevent overriding of existing properties. This ensures that build-in
// methods like `toString` or __proto__ are not overriden by malicious
// querystrings.
//
if (key in result) continue;
result[key] = value;
}

return result;
}
@@ -31,9 +31,9 @@
},
"homepage": "https://github.com/unshiftio/querystringify",
"devDependencies": {
"assume": "~1.5.0",
"istanbul": "0.4.x",
"mocha": "~3.5.0",
"pre-commit": "~1.2.0"
"assume": "^2.0.1",
"istanbul": "^0.4.5",
"mocha": "^5.1.1",
"pre-commit": "^1.2.2"
}
}
@@ -63,6 +63,14 @@ describe('querystringify', function () {
assume(obj.shizzle).equals('mynizzle');
});

it('does not overide prototypes', function () {
var obj = qs.parse('?toString&__proto__=lol');

assume(obj).is.a('object');
assume(obj.toString).is.a('function');
assume(obj.__proto__).does.not.equals('lol');
});

it('works with querystring parameters without values', function () {
var obj = qs.parse('?foo&bar=&shizzle=mynizzle');

0 comments on commit 422eb4f

Please sign in to comment.
You can’t perform that action at this time.