Revert "sec: security patch for CVE-2024-51999"

UlisesGascon · jonchurch · commit 5ddf311af32e · 2025-12-01T15:27:22.000-05:00
This reverts commit 6e97452.
diff --git a/lib/utils.js b/lib/utils.js
@@ -287,7 +287,7 @@ function createETagGenerator (options) {
 
 function parseExtendedQueryString(str) {
   return qs.parse(str, {
-    plainObjects: true
+    allowPrototypes: true
   });
 }
 
diff --git a/test/req.query.js b/test/req.query.js
@@ -3,7 +3,6 @@
 var assert = require('assert')
 var express = require('../')
   , request = require('supertest');
-var qs = require('qs');
 
 describe('req', function(){
   describe('.query', function(){
@@ -39,22 +38,6 @@ describe('req', function(){
         .get('/?user.name=tj')
         .expect(200, '{"user.name":"tj"}', done);
       });
-
-      it('should not be able to access object prototype properties', function (done) {
-        var app = createApp('extended', true);
-
-        request(app)
-        .get('/?foo=yee')
-        .expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
-      });
-
-      it('should be able to use object prototype property names as keys', function (done) {
-        var app = createApp('extended', true);
-
-        request(app)
-        .get('/?hasOwnProperty=yee')
-        .expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
-      });
     });
 
     describe('when "query parser" is simple', function () {
@@ -65,22 +48,6 @@ describe('req', function(){
         .get('/?user%5Bname%5D=tj')
         .expect(200, '{"user[name]":"tj"}', done);
       });
-
-      it('should not be able to access object prototype properties', function (done) {
-        var app = createApp('simple', true);
-
-        request(app)
-        .get('/?foo=yee')
-        .expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
-      });
-
-      it('should be able to use object prototype property names as keys', function (done) {
-        var app = createApp('simple', true);
-
-        request(app)
-        .get('/?hasOwnProperty=yee')
-        .expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
-      });
     });
 
     describe('when "query parser" is a function', function () {
@@ -93,18 +60,6 @@ describe('req', function(){
         .get('/?user%5Bname%5D=tj')
         .expect(200, '{"length":17}', done);
       });
-
-      // test exists to verify behavior for folks wishing to workaround our qs defaults
-      it('should drop object prototype property names and be able to access object prototype properties', function (done) {
-        var app = createApp(
-          function (str) {
-            return qs.parse(str)
-          }, true);
-
-        request(app)
-        .get('/?hasOwnProperty=biscuits')
-        .expect(200, '{"query":{},"hasOwnProperty":false}', done);
-      });
     });
 
     describe('when "query parser" disabled', function () {
@@ -115,22 +70,6 @@ describe('req', function(){
         .get('/?user%5Bname%5D=tj')
         .expect(200, '{}', done);
       });
-
-      it('should not be able to access object prototype properties', function (done) {
-        var app = createApp('extended', true);
-
-        request(app)
-        .get('/?foo=yee')
-        .expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
-      });
-
-      it('should be able to use object prototype property names as keys', function (done) {
-        var app = createApp('extended', true);
-
-        request(app)
-        .get('/?hasOwnProperty=yee')
-        .expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
-      });
     });
 
     describe('when "query parser" enabled', function () {
@@ -141,22 +80,6 @@ describe('req', function(){
         .get('/?user%5Bname%5D=tj')
         .expect(200, '{"user[name]":"tj"}', done);
       });
-
-      it('should not be able to access object prototype properties', function (done) {
-        var app = createApp('extended', true);
-
-        request(app)
-        .get('/?foo=yee')
-        .expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
-      });
-
-      it('should be able to use object prototype property names as keys', function (done) {
-        var app = createApp('extended', true);
-
-        request(app)
-        .get('/?hasOwnProperty=yee')
-        .expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
-      });
     });
 
     describe('when "query parser fn" is missing', function () {
@@ -174,22 +97,6 @@ describe('req', function(){
         .get('/?user[name]=tj&user.name=tj')
         .expect(200, '{"user":{"name":"tj"},"user.name":"tj"}', done);
       });
-
-      it('should not be able to access object prototype properties', function (done) {
-        var app = createApp('extended', true);
-
-        request(app)
-        .get('/?foo=yee')
-        .expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
-      });
-
-      it('should be able to use object prototype property names as keys', function (done) {
-        var app = createApp('extended', true);
-
-        request(app)
-        .get('/?hasOwnProperty=yee')
-        .expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
-      });
     });
 
     describe('when "query parser" an unknown value', function () {
@@ -201,25 +108,15 @@ describe('req', function(){
   })
 })
 
-function createApp(setting, isPrototypePropertyTest) {
+function createApp(setting) {
   var app = express();
 
   if (setting !== undefined) {
     app.set('query parser', setting);
   }
 
   app.use(function (req, res) {
-    if(isPrototypePropertyTest) {
-      try {
-        var hasOwnProperty = req.query.hasOwnProperty('✨ express ✨');
-        res.send({ query: req.query, hasOwnProperty: hasOwnProperty });
-      } catch (error) {
-        res.send({ query: req.query, error: error.toString() });
-      }
-    }
-    else {
-      res.send(req.query);
-    }
+    res.send(req.query);
   });
 
   return app;

Original file line number	Diff line number	Diff line change
`@@ -287,7 +287,7 @@ function createETagGenerator (options) {`
`287`	`287`
`288`	`288`	`function parseExtendedQueryString(str) {`
`289`	`289`	`return qs.parse(str, {`
`290`		`- plainObjects: true`
	`290`	`+ allowPrototypes: true`
`291`	`291`	`});`
`292`	`292`	`}`
`293`	`293`