Skip to content

Commit

Permalink
Take 2
Browse files Browse the repository at this point in the history
  • Loading branch information
dead-claudia committed Jul 28, 2019
1 parent 9d3ce5f commit e58e918
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 8 deletions.
11 changes: 5 additions & 6 deletions querystring/parse.js
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ module.exports = function(string) {
for (var j = 0; j < levels.length; j++) {
var level = levels[j], nextLevel = levels[j + 1]
var isNumber = nextLevel == "" || !isNaN(parseInt(nextLevel, 10))
var isValue = j === levels.length - 1
if (level === "") {
var key = levels.slice(0, j).join()
if (counters[key] == null) {
Expand All @@ -29,15 +28,15 @@ module.exports = function(string) {
}
// Disallow direct prototype pollution
else if (level === "__proto__") break
if (isValue) cursor[level] = value
if (j === levels.length - 1) cursor[level] = value
else {
// Read own properties exclusively to disallow indirect
// prototype pollution
value = Object.getOwnPropertyDescriptor(cursor, level)
if (value != null) value = value.value
if (value == null) value = cursor[level] = isNumber ? [] : {}
var desc = Object.getOwnPropertyDescriptor(cursor, level)
if (desc != null) desc = desc.value
if (desc == null) cursor[level] = desc = isNumber ? [] : {}
cursor = desc
}
cursor = value
}
}
return data
Expand Down
7 changes: 5 additions & 2 deletions querystring/tests/test-parseQueryString.js
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,11 @@ o.spec("parseQueryString", function() {
})
o("doesn't pollute prototype indirectly, retains `constructor`", function() {
var prev = Object.prototype.toString
var data = parseQueryString("constructor%5Bprototype%5D%5BtoString%5D=123")
var data = parseQueryString("a=b&constructor%5Bprototype%5D%5BtoString%5D=123")
o(Object.prototype.toString).equals(prev)
o(data).deepEquals({a: "b"})
// The deep matcher is borked here.
o(Object.keys(data)).deepEquals(["a", "constructor"])
o(data.a).equals("b")
o(data.constructor).deepEquals({prototype: {toString: "123"}})
})
})

0 comments on commit e58e918

Please sign in to comment.