redis · Aug 1, 2021 · Aug 18, 2021 · Aug 18, 2021
Showing with 65 additions and 1,100 deletions.

+7 −0 Changelog.md

+14 −1 lib/command.ts

+31 −1,098 package-lock.json

+1 −1 package.json

+12 −0 test/functional/hgetall.ts
diff --git a/Changelog.md b/Changelog.md
@@ -1,3 +1,10 @@
+## [4.27.8](https://github.com/luin/ioredis/compare/v4.27.7...v4.27.8) (2021-08-18)
+
+
+### Bug Fixes
+
+* handle malicious keys for hgetall ([#1416](https://github.com/luin/ioredis/issues/1416)) ([7d73b9d](https://github.com/luin/ioredis/commit/7d73b9d07b52ec077f235292aa15c7aca203bba9)), closes [#1267](https://github.com/luin/ioredis/issues/1267)
+
 ## [4.27.7](https://github.com/luin/ioredis/compare/v4.27.6...v4.27.7) (2021-08-01)
 
 

diff --git a/lib/command.ts b/lib/command.ts
@@ -427,7 +427,20 @@ Command.setReplyTransformer("hgetall", function (result) {
   if (Array.isArray(result)) {
     const obj = {};
     for (let i = 0; i < result.length; i += 2) {
-      obj[result[i]] = result[i + 1];
+      const key = result[i];
+      const value = result[i + 1];
+      if (obj[key]) {
+        // can only be truthy if the property is special somehow, like '__proto__' or 'constructor'
+        // https://github.com/luin/ioredis/issues/1267
+        Object.defineProperty(obj, key, {
+          value,
+          configurable: true,
+          enumerable: true,
+          writable: true,
+        });
+      } else {
+        obj[key] = value;
+      }
     }
     return obj;
   }