Skip to content

Commit

Permalink
[security] Prevent overriding of build-in properties by default (#19)
Browse files Browse the repository at this point in the history
[security] Prevent overriding of build-in properties by default
  • Loading branch information
3rd-Eden authored Apr 19, 2018
1 parent 0b65759 commit 422eb4f
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 19 deletions.
9 changes: 3 additions & 6 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,10 @@
sudo: false
language: node_js
node_js:
- "5"
- "4"
- "0.12"
- "0.10"
- "0.8"
before_install:
- 'if [ "${TRAVIS_NODE_VERSION}" == "0.8" ]; then npm install -g npm@2.14.15; fi'
- "6"
- "8"
- "9"
script:
- "npm run test-travis"
after_script:
Expand Down
21 changes: 12 additions & 9 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,18 @@ function querystring(query) {
, result = {}
, part;

//
// Little nifty parsing hack, leverage the fact that RegExp.exec increments
// the lastIndex property so we can continue executing this loop until we've
// parsed all results.
//
for (;
part = parser.exec(query);
result[decode(part[1])] = decode(part[2])
);
while (part = parser.exec(query)) {
var key = decode(part[1])
, value = decode(part[2]);

//
// Prevent overriding of existing properties. This ensures that build-in
// methods like `toString` or __proto__ are not overriden by malicious
// querystrings.
//
if (key in result) continue;
result[key] = value;
}

return result;
}
Expand Down
8 changes: 4 additions & 4 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@
},
"homepage": "https://github.com/unshiftio/querystringify",
"devDependencies": {
"assume": "~1.5.0",
"istanbul": "0.4.x",
"mocha": "~3.5.0",
"pre-commit": "~1.2.0"
"assume": "^2.0.1",
"istanbul": "^0.4.5",
"mocha": "^5.1.1",
"pre-commit": "^1.2.2"
}
}
8 changes: 8 additions & 0 deletions test.js
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,14 @@ describe('querystringify', function () {
assume(obj.shizzle).equals('mynizzle');
});

it('does not overide prototypes', function () {
var obj = qs.parse('?toString&__proto__=lol');

assume(obj).is.a('object');
assume(obj.toString).is.a('function');
assume(obj.__proto__).does.not.equals('lol');
});

it('works with querystring parameters without values', function () {
var obj = qs.parse('?foo&bar=&shizzle=mynizzle');

Expand Down

0 comments on commit 422eb4f

Please sign in to comment.