[Fix] parse: ignore __proto__ keys (#428)

ljharb · ljharb · commit ba24e74dd179 · 2021-12-27T19:15:57.000-08:00
diff --git a/lib/parse.js b/lib/parse.js
@@ -68,7 +68,7 @@ var parseObject = function parseObject(chain, val, options) {
         ) {
             obj = [];
             obj[index] = parseObject(chain, val, options);
-        } else {
+        } else if (cleanRoot !== '__proto__') {
             obj[cleanRoot] = parseObject(chain, val, options);
         }
     }
diff --git a/test/parse.js b/test/parse.js
@@ -476,6 +476,66 @@ test('parse()', function (t) {
         st.end();
     });
 
+    t.test('dunder proto is ignored', function (st) {
+        var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
+        var result = qs.parse(payload, { allowPrototypes: true });
+
+        st.deepEqual(
+            result,
+            {
+                categories: {
+                    length: '42'
+                }
+            },
+            'silent [[Prototype]] payload'
+        );
+
+        var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
+
+        st.deepEqual(
+            plainResult,
+            {
+                __proto__: null,
+                categories: {
+                    __proto__: null,
+                    length: '42'
+                }
+            },
+            'silent [[Prototype]] payload: plain objects'
+        );
+
+        var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
+
+        st.notOk(Array.isArray(query.categories), 'is not an array');
+        st.notOk(query.categories instanceof Array, 'is not instanceof an array');
+        st.deepEqual(query.categories, { some: { json: 'toInject' } });
+        st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
+
+        st.deepEqual(
+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
+            {
+                foo: {
+                    bar: 'stuffs'
+                }
+            },
+            'hidden values'
+        );
+
+        st.deepEqual(
+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
+            {
+                __proto__: null,
+                foo: {
+                    __proto__: null,
+                    bar: 'stuffs'
+                }
+            },
+            'hidden values: plain objects'
+        );
+
+        st.end();
+    });
+
     t.test('can return null objects', { skip: !Object.create }, function (st) {
         var expected = Object.create(null);
         expected.a = Object.create(null);

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ var parseObject = function parseObject(chain, val, options) {`
`68`	`68`	`) {`
`69`	`69`	`obj = [];`
`70`	`70`	`obj[index] = parseObject(chain, val, options);`
`71`		`- } else {`
	`71`	`+ } else if (cleanRoot !== '__proto__') {`
`72`	`72`	`obj[cleanRoot] = parseObject(chain, val, options);`
`73`	`73`	`}`
`74`	`74`	`}`