From: Alex Kozack <cawa-93@users.noreply.github.com>
Date: Mon, 26 Apr 2021 15:26:46 +0000 (+0300)
Subject: fix: do not allow invalid hazardous keys in query (#880)
X-Git-Tag: v4.0.7~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ecd52e017ac30fa996d4796974371374f65640d1;p=thirdparty%2Fvuejs%2Frouter.git

fix: do not allow invalid hazardous keys in query (#880)

Co-authored-by: Eduardo San Martin Morote <posva@users.noreply.github.com>
---

diff --git a/__tests__/parseQuery.spec.ts b/__tests__/parseQuery.spec.ts
index b16c8624..7c849bbd 100644
--- a/__tests__/parseQuery.spec.ts
+++ b/__tests__/parseQuery.spec.ts
@@ -85,4 +85,15 @@ describe('parseQuery', () => {
 
     expect('decoding "%"').toHaveBeenWarnedTimes(1)
   })
+
+  it('ignores __proto__', () => {
+    const query = parseQuery('__proto__=1')
+    expect(query.__proto__).toEqual(Object.prototype)
+    expect(query.constructor).toEqual(Object)
+  })
+
+  it('ignores build-in methods', () => {
+    const query = parseQuery('toString=1')
+    expect(query.toString).toEqual(Object.prototype.toString)
+  })
 })
diff --git a/src/query.ts b/src/query.ts
index f13c1704..c936c7a2 100644
--- a/src/query.ts
+++ b/src/query.ts
@@ -55,6 +55,12 @@ export function parseQuery(search: string): LocationQuery {
     // allow the = character
     let eqPos = searchParam.indexOf('=')
     let key = decode(eqPos < 0 ? searchParam : searchParam.slice(0, eqPos))
+
+    // this ignores ?__proto__&toString
+    if (Object.prototype.hasOwnProperty(key)) {
+      continue
+    }
+
     let value = eqPos < 0 ? null : decode(searchParam.slice(eqPos + 1))
 
     if (key in query) {