ufo icon indicating copy to clipboard operation
ufo copied to clipboard
verified publisher icon unjs

Usage of default-prototype Object for URL params results in parsing problems

Open ThomasRinsma opened this issue 9 months ago • 1 comments

Environment

Node v23.10.0, ufo version 1.5.4.

Reproduction

> ufo.getQuery("http://foo.com/?toString=a")
{ toString: [ [Function: toString], 'a' ] }

Describe the bug

The accumulator object used during query parsing (initialized here), is a regular JavaScript Object. This means that it all the default Object keys are valid keys:

> x = {};
{}
> x.<tab complete>
x.__proto__             x.constructor           x.hasOwnProperty        x.isPrototypeOf         x.propertyIsEnumerable
x.toLocaleString        x.toString              x.valueOf

As regular key-accessing is used, the prototype chain is followed, hence, the check here will not be undefined for those keys, and this assignment logic will be followed.

In other words, while there is a check for __proto__ and constructor to prevent prototype pollution (I presume), this does not solve the problem of accessing other keys in the object's prototype. A good solution would be to use Object.create(null) instead of {} to initialize object.

Additional context

No response

Logs

ThomasRinsma avatar Mar 16 '25 11:03 ThomasRinsma

Thanks for report. Feel free to open a PR. You can use this pattern to avoid perf penalty of null object.

pi0 avatar Mar 17 '25 10:03 pi0