fix: do not allow invalid hazardous keys in query (#880)

Co-authored-by: Eduardo San Martin Morote <posva@users.noreply.github.com>

diff --git a/__tests__/parseQuery.spec.ts b/__tests__/parseQuery.spec.ts
index b16c86245e3309843669915f19a28dd6aea649ce..7c849bbdf1b9d56a9355596da9938d2ad9123d33 100644 (file)
--- a/__tests__/parseQuery.spec.ts
+++ b/__tests__/parseQuery.spec.ts
@@ -85,4 +85,15 @@ describe('parseQuery', () => {
 
     expect('decoding "%"').toHaveBeenWarnedTimes(1)
   })
+
+  it('ignores __proto__', () => {
+    const query = parseQuery('__proto__=1')
+    expect(query.__proto__).toEqual(Object.prototype)
+    expect(query.constructor).toEqual(Object)
+  })
+
+  it('ignores build-in methods', () => {
+    const query = parseQuery('toString=1')
+    expect(query.toString).toEqual(Object.prototype.toString)
+  })
 })

diff --git a/src/query.ts b/src/query.ts
index f13c170454f81ceca5288f1b91d88e7bdbcda69c..c936c7a2704e01d7418327a92cf7f5a303428c2e 100644 (file)
--- a/src/query.ts
+++ b/src/query.ts
@@ -55,6 +55,12 @@ export function parseQuery(search: string): LocationQuery {
     // allow the = character
     let eqPos = searchParam.indexOf('=')
     let key = decode(eqPos < 0 ? searchParam : searchParam.slice(0, eqPos))
+
+    // this ignores ?__proto__&toString
+    if (Object.prototype.hasOwnProperty(key)) {
+      continue
+    }
+
     let value = eqPos < 0 ? null : decode(searchParam.slice(eqPos + 1))
 
     if (key in query) {