fix: handle malicious keys for hgetall (#1416)

Closes #1267

Author: luin

lib/command.ts

@@ -427,7 +427,20 @@ Command.setReplyTransformer("hgetall", function (result) {
   if (Array.isArray(result)) {
     const obj = {};
     for (let i = 0; i < result.length; i += 2) {
-      obj[result[i]] = result[i + 1];
+      const key = result[i];
+      const value = result[i + 1];
+      if (obj[key]) {
+        // can only be truthy if the property is special somehow, like '__proto__' or 'constructor'
+        // https://github.com/luin/ioredis/issues/1267
+        Object.defineProperty(obj, key, {
+          value,
+          configurable: true,
+          enumerable: true,
+          writable: true,
+        });
+      } else {
+        obj[key] = value;
+      }
     }
     return obj;
   }

test/functional/hgetall.ts

@@ -0,0 +1,12 @@
+import Redis from "../../lib/redis";
+import { expect } from "chai";
+
+describe("hgetall", function () {
+  it("should handle __proto__", async function () {
+    const redis = new Redis();
+    await redis.hset("test_key", "__proto__", "hello");
+    const ret = await redis.hgetall("test_key");
+    expect(ret.__proto__).to.eql("hello");
+    expect(Object.keys(ret)).to.eql(["__proto__"]);
+  });
+});