Skip to content

Commit

Permalink
[Fix] ensure that allowPrototypes: false does not ever shadow Objec…
Browse files Browse the repository at this point in the history
…t.prototype properties.
  • Loading branch information
ljharb committed Feb 14, 2017
1 parent 335f839 commit 50ea161
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 11 deletions.
10 changes: 5 additions & 5 deletions lib/parse.js
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ var parseObject = function parseObject(chain, val, options) {
obj = obj.concat(parseObject(chain, val, options)); obj = obj.concat(parseObject(chain, val, options));
} else { } else {
obj = options.plainObjects ? Object.create(null) : {}; obj = options.plainObjects ? Object.create(null) : {};
var cleanRoot = root[0] === '[' && root[root.length - 1] === ']' ? root.slice(1, root.length - 1) : root; var cleanRoot = root.charAt(0) === '[' && root.charAt(root.length - 1) === ']' ? root.slice(1, -1) : root;
var index = parseInt(cleanRoot, 10); var index = parseInt(cleanRoot, 10);
if ( if (
!isNaN(index) && !isNaN(index) &&
Expand Down Expand Up @@ -84,8 +84,8 @@ var parseKeys = function parseKeys(givenKey, val, options) {


// The regex chunks // The regex chunks


var parent = /^([^\[\]]*)/; var parent = /^([^[]*)/;
var child = /(\[[^\[\]]*\])/g; var child = /(\[[^[\]]*])/g;


// Get the parent // Get the parent


Expand All @@ -111,9 +111,9 @@ var parseKeys = function parseKeys(givenKey, val, options) {
var i = 0; var i = 0;
while ((segment = child.exec(key)) !== null && i < options.depth) { while ((segment = child.exec(key)) !== null && i < options.depth) {
i += 1; i += 1;
if (!options.plainObjects && has.call(Object.prototype, segment[1].replace(/\[|\]/g, ''))) { if (!options.plainObjects && has.call(Object.prototype, segment[1].slice(1, -1))) {
if (!options.allowPrototypes) { if (!options.allowPrototypes) {
continue; return;
} }
} }
keys.push(segment[1]); keys.push(segment[1]);
Expand Down
37 changes: 31 additions & 6 deletions test/parse.js
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -122,10 +122,10 @@ test('parse()', function (t) {
st.deepEqual(qs.parse('foo[bad]=baz&foo[]=bar&foo[]=foo'), { foo: { bad: 'baz', '0': 'bar', '1': 'foo' } }); st.deepEqual(qs.parse('foo[bad]=baz&foo[]=bar&foo[]=foo'), { foo: { bad: 'baz', '0': 'bar', '1': 'foo' } });
st.deepEqual(qs.parse('foo[0][a]=a&foo[0][b]=b&foo[1][a]=aa&foo[1][b]=bb'), { foo: [{ a: 'a', b: 'b' }, { a: 'aa', b: 'bb' }] }); st.deepEqual(qs.parse('foo[0][a]=a&foo[0][b]=b&foo[1][a]=aa&foo[1][b]=bb'), { foo: [{ a: 'a', b: 'b' }, { a: 'aa', b: 'bb' }] });


st.deepEqual(qs.parse('a[]=b&a[t]=u&a[hasOwnProperty]=c', { allowPrototypes: false }), { a: { '0': 'b', c: true, t: 'u' } }); st.deepEqual(qs.parse('a[]=b&a[t]=u&a[hasOwnProperty]=c', { allowPrototypes: false }), { a: { 0: 'b', t: 'u' } });
st.deepEqual(qs.parse('a[]=b&a[t]=u&a[hasOwnProperty]=c', { allowPrototypes: true }), { a: { '0': 'b', t: 'u', hasOwnProperty: 'c' } }); st.deepEqual(qs.parse('a[]=b&a[t]=u&a[hasOwnProperty]=c', { allowPrototypes: true }), { a: { 0: 'b', t: 'u', hasOwnProperty: 'c' } });
st.deepEqual(qs.parse('a[]=b&a[hasOwnProperty]=c&a[x]=y', { allowPrototypes: false }), { a: { '0': 'b', '1': 'c', x: 'y' } }); st.deepEqual(qs.parse('a[]=b&a[hasOwnProperty]=c&a[x]=y', { allowPrototypes: false }), { a: { 0: 'b', x: 'y' } });
st.deepEqual(qs.parse('a[]=b&a[hasOwnProperty]=c&a[x]=y', { allowPrototypes: true }), { a: { '0': 'b', hasOwnProperty: 'c', x: 'y' } }); st.deepEqual(qs.parse('a[]=b&a[hasOwnProperty]=c&a[x]=y', { allowPrototypes: true }), { a: { 0: 'b', hasOwnProperty: 'c', x: 'y' } });
st.end(); st.end();
}); });


Expand Down Expand Up @@ -402,9 +402,34 @@ test('parse()', function (t) {
st.end(); st.end();
}); });


t.test('does not allow overwriting prototype properties', function (st) {
st.deepEqual(qs.parse('a[hasOwnProperty]=b', { allowPrototypes: false }), {});
st.deepEqual(qs.parse('hasOwnProperty=b', { allowPrototypes: false }), {});

st.deepEqual(
qs.parse('toString', { allowPrototypes: false }),
{},
'bare "toString" results in {}'
);

st.end();
});

t.test('can allow overwriting prototype properties', function (st) { t.test('can allow overwriting prototype properties', function (st) {
st.deepEqual(qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true }), { a: { hasOwnProperty: 'b' } }, { prototype: false }); st.deepEqual(qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true }), { a: { hasOwnProperty: 'b' } });
st.deepEqual(qs.parse('hasOwnProperty=b', { allowPrototypes: true }), { hasOwnProperty: 'b' }, { prototype: false }); st.deepEqual(qs.parse('hasOwnProperty=b', { allowPrototypes: true }), { hasOwnProperty: 'b' });

st.deepEqual(
qs.parse('toString', { allowPrototypes: true }),
{ toString: '' },
'bare "toString" results in { toString: "" }'
);

st.end();
});

t.test('params starting with a closing bracket', function (st) {
st.deepEqual(qs.parse(']=toString'), { ']': 'toString' });
st.end(); st.end();
}); });


Expand Down

0 comments on commit 50ea161

Please sign in to comment.