Prototype properties in query

[DrLoopFall]

Bug

URL ...?toString=value results in query { toString: [ <toString function>, "value" ] }.

Solutions

• Create the query object with null prototype, Object.create(null) or { __proto__: null }.
• Disallow the keys from Object.prototype in query.

This would be a breaking change.

[kwhitley]

Testing this today...

a) Good catch! How did you even find this?? b) Not sure if we should fix it... because:

• it's an extreme edge case
• params will fall under the same issue I suspect (and would cost more bytes to fix)
• as would cookies...
• I think the worse side effect of fixing it is that a thing that looks like an object (query, params, etc) actually fails to have the properties/methods of a real object.

[DrLoopFall]

a) Good catch! How did you even find this??

Was checking Node's querystring.parse, and found that it returns an object with a null prototype.

params will fall under the same issue I suspect (and would cost more bytes to fix)

The params object already has a null prototype, match.groups is an object with a null prototype. For consistency, we can also make prototype of the fallback object null request.params = match.groups || { __proto: null }

I think the worse side effect of fixing it is that a thing that looks like an object (query, params, etc) actually fails to have the properties/methods of a real object.

Not fixing would result in objects having arrays instead of the expected object's properties/methods. e.g. req.toString() would throw error.

---

Here are a few query parser libraries behavior,

• Node's querystring -> null prototype.
• npm query-string -> null prototype.
• npm qs -> skips keys in Object.prototype
• npm querystringify -> skips keys in Object.prototype

---

This bug is not much likely to cause security issues. If we want we can leave it as it is.