Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not allow invalid hazardous keys in query #880

Merged
merged 6 commits into from Apr 26, 2021
Merged

fix: do not allow invalid hazardous keys in query #880

merged 6 commits into from Apr 26, 2021

Conversation

cawa-93
Copy link
Contributor

@cawa-93 cawa-93 commented Apr 13, 2021

I drew attention to that when parsing the search query, it is possible to some extent manipulate the prototype of the returned object. I added a few checks so that at least partially prevent it.

@cawa-93
Copy link
Contributor Author

cawa-93 commented Apr 13, 2021

As a more rigorous and reliable alternative: return the Map or URLSearchParams instead of the object. Of course, this us breaking changes.

posva
posva reviewed Apr 13, 2021
View reviewed changes
src/query.ts Outdated Show resolved Hide resolved
@cawa-93 cawa-93 requested a review from posva April 18, 2021 18:23
posva
posva requested changes Apr 26, 2021
View reviewed changes
Copy link
Member

@posva posva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I think this makes sense as it could avoid weird forced bugs when sharing a URL with intentionally wrong query params

__tests__/parseQuery.spec.ts Outdated Show resolved Hide resolved
__tests__/parseQuery.spec.ts Outdated Show resolved Hide resolved
src/query.ts Outdated Show resolved Hide resolved
cawa-93 and others added 3 commits April 26, 2021 18:09
@cawa-93 @posva
Update __tests__/parseQuery.spec.ts
59a81da 
Co-authored-by: Eduardo San Martin Morote <posva@users.noreply.github.com>
@cawa-93 @posva
Update __tests__/parseQuery.spec.ts
b74dc2c 
Co-authored-by: Eduardo San Martin Morote <posva@users.noreply.github.com>
@cawa-93
refactor: Update src/query.ts
2dab37a
@cawa-93 cawa-93 requested a review from posva April 26, 2021 15:18
posva
posva approved these changes Apr 26, 2021
View reviewed changes
Copy link
Member

@posva posva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@posva posva merged commit ecd52e0 into vuejs:master Apr 26, 2021
@cawa-93 cawa-93 deleted the strict-query branch April 26, 2021 15:27
@posva
Copy link
Member

posva commented May 27, 2021

I think I will revert this change as it forbids keys like toString which are totally valid keys in objects and one can still avoid any set of query keys by provide a parseQuery and stringifyQuery.
__proto__ cannot be overridden anyway.

Do you have any real scenario cases where this is a problem? Otherwise I will proceed to revert this change in the next patch @cawa-93

@cawa-93
Copy link
Contributor Author

cawa-93 commented May 27, 2021

No. I have no real scenarios. I see this as a safeguard against mistakes may by developer that lead to security risks

@posva
Copy link
Member

posva commented May 27, 2021
edited

so what security risks were you thinking about? That's a scenario

@cawa-93
Copy link
Contributor Author

cawa-93 commented May 27, 2021

I thinking about Prototype pollution, but I don't have any real example. I only assume that there may be some scenarios that may have some scenarios may exist when the developer makes some non-standard behavior when it can lead to problems. I only guess that there may be some scenarios (maybe when the developer makes some non-standard behavior) when it can lead to problems.

@posva
Copy link
Member

posva commented May 27, 2021

Thanks for the input!

posva added a commit that referenced this pull request May 27, 2021
@posva
fix(query): allow arbitrary keys in queries
a57b5f1 
Revert "fix: do not allow invalid hazardous keys in query (#880)"
This reverts commit ecd52e0.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@posva posva posva approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cawa-93 @posva