Skip to content

Commit

Permalink
fix: security issue gh closes #44
Browse files Browse the repository at this point in the history
  • Loading branch information
bigopon committed Jun 9, 2021
1 parent 4aa9088 commit 7c4e235
Show file tree
Hide file tree
Showing 3 changed files with 351 additions and 315 deletions.
11 changes: 7 additions & 4 deletions src/index.js → src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ function buildParam(key: string, value: any, traditional?: boolean): Array<strin
* @param traditional Boolean Use the old URI template standard (RFC6570)
* @returns The generated query string, excluding leading '?'.
*/
export function buildQueryString(params: Object, traditional?: Boolean): string {
export function buildQueryString(params?: Object, traditional?: boolean): string {
let pairs = [];
let keys = Object.keys(params || {}).sort();
for (let i = 0, len = keys.length; i < len; i++) {
Expand Down Expand Up @@ -203,16 +203,19 @@ function processScalarParam(existedParam: Object, value: Object): Object {
* @param keys Collection of keys related to this parameter.
* @param value Parameter value to append.
*/
function parseComplexParam(queryParams: Object, keys: Object, value: any): void {
function parseComplexParam(queryParams: Object, keys: (string | number)[], value: any): void {
let currentParams = queryParams;
let keysLastIndex = keys.length - 1;
for (let j = 0; j <= keysLastIndex; j++) {
let key = keys[j] === '' ? currentParams.length : keys[j];
let key = keys[j] === '' ? (currentParams as any).length : keys[j];
if (key === '__proto__') {
throw new Error('Prototype pollution detected.');
}
if (j < keysLastIndex) {
// The value has to be an array or a false value
// It can happen that the value is no array if the key was repeated with traditional style like `list=1&list[]=2`
let prevValue = !currentParams[key] || typeof currentParams[key] === 'object' ? currentParams[key] : [currentParams[key]];
currentParams = currentParams[key] = prevValue || (isNaN(keys[j + 1]) ? {} : []);
currentParams = currentParams[key] = prevValue || (isNaN(keys[j + 1] as number) ? {} : []);
} else {
currentParams = currentParams[key] = value;
}
Expand Down
311 changes: 0 additions & 311 deletions test/path.spec.js

This file was deleted.

Loading

0 comments on commit 7c4e235

Please sign in to comment.