packages/nodejs-qs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-24999

Browse Source 
(cherry picked from commit f62d633f73752801030dd43fd282898334e44eb1)
This commit is contained in:
wk333 2024-03-26 16:24:18 +08:00 committed by openeuler-sync-bot
parent 946da65755
commit 54eaeb0fa9
2 changed files with 102 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
CVE-2022-24999.patch Normal file
View File

@ -0,0 +1,96 @@
From 8b4cc14cda94a5c89341b77e5fe435ec6c41be2d Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Mon, 27 Dec 2021 19:15:57 -0800
Subject: [PATCH] [Fix] `parse`: ignore `__proto__` keys
Origin: https://github.com/ljharb/qs/pull/428
---
lib/parse.js | 2 +-
test/parse.js | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/lib/parse.js b/lib/parse.js
index c833315c..a4ac4fa0 100644
--- a/lib/parse.js
+++ b/lib/parse.js
@@ -136,7 +136,7 @@ var parseObject = function (chain, val, options, valuesParsed) {
) {
obj = [];
obj[index] = leaf;
- } else {
+ } else if (cleanRoot !== '__proto__') {
obj[cleanRoot] = leaf;
}
}
diff --git a/test/parse.js b/test/parse.js
index 7a3cfdef..7d61023e 100644
--- a/test/parse.js
+++ b/test/parse.js
@@ -629,6 +629,66 @@ test('parse()', function (t) {
st.end();
});
+ t.test('dunder proto is ignored', function (st) {
+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
+ var result = qs.parse(payload, { allowPrototypes: true });
+
+ st.deepEqual(
+ result,
+ {
+ categories: {
+ length: '42'
+ }
+ },
+ 'silent [[Prototype]] payload'
+ );
+
+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
+
+ st.deepEqual(
+ plainResult,
+ {
+ __proto__: null,
+ categories: {
+ __proto__: null,
+ length: '42'
+ }
+ },
+ 'silent [[Prototype]] payload: plain objects'
+ );
+
+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
+
+ st.notOk(Array.isArray(query.categories), 'is not an array');
+ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
+ st.deepEqual(query.categories, { some: { json: 'toInject' } });
+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
+
+ st.deepEqual(
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
+ {
+ foo: {
+ bar: 'stuffs'
+ }
+ },
+ 'hidden values'
+ );
+
+ st.deepEqual(
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
+ {
+ __proto__: null,
+ foo: {
+ __proto__: null,
+ bar: 'stuffs'
+ }
+ },
+ 'hidden values: plain objects'
+ );
+
+ st.end();
+ });
+
t.test('can return null objects', { skip: !Object.create }, function (st) {
var expected = Object.create(null);
expected.a = Object.create(null);

8
nodejs-qs.spec
View File

@ -2,11 +2,12 @@
%global enable_tests 1
Name: nodejs-qs
Version: 6.5.1
Release: 1
Release: 2
Summary: Query string parser for Node.js
License: BSD
URL: https://github.com/ljharb/qs
Source0: https://registry.npmjs.org/qs/-/qs-%{version}.tgz
Patch0: CVE-2022-24999.patch
BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch
BuildRequires: nodejs-packaging
@ -21,7 +22,7 @@ commonly desired behavior (and twice as fast). Used by express, connect
and others.
%prep
%setup -q -n package
%autosetup -n package -p1
%build
@ -45,5 +46,8 @@ install -p -m644 lib/*.js %{buildroot}%{nodejs_sitelib}/qs/lib
%{nodejs_sitelib}/qs
%changelog
* Tue Mar 26 2024 wangkai <13474090681@163.com> - 6.5.1-2
- Fix CVE-2022-24999
* Fri Aug 14 2020 wangyue <wangyue92@huawei.com> - 6.5.1-1
- Package init