querystring module swallows `__proto__` key
If a URL contains __proto__=123
that has no meaning for any other server out there and it's handled like a regular string.
However, the querystring module swallows the key, probably trying to set the string "123"
as returned object prototype.
Since every other key is set as {configurable: true, writable: true, enumerable: true, value: decodedValue}
I think in the very special key in out && !hasOwnProperty.call(out, key)
case the returned out
object should have properties set as such:
Object.defineProperty(
out,
key,
{
configurable: true,
enumerable: true,
writable: true,
value: options.decodeURIComponent(value)
});
This would grant consistency with any sort of possible dangerous key inherited, as setter or getter, through the Object.prototype
.
- Version: v5.7.1
- Platform: Linux archibold 4.4.3-1-ARCH #1 SMP PREEMPT Fri Feb 26 15:09:29 CET 2016 x86_64 GNU/Linux (it's just ArchLinux)
-
Subsystem:
querystring
Best Regards