Skip to content

Commit 697547c

Browse files
UlisesGasconjonchurch
UlisesGascon
authored and
jonchurch
committed
Revert "sec: security patch for CVE-2024-51999"
This reverts commit 2f64f68.
1 parent 4007ad1 commit 697547c

File tree

2 files changed

+3
-90
lines changed

2 files changed

+3
-90
lines changed

lib/utils.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -266,6 +266,6 @@ function createETagGenerator (options) {
266266

267267
function parseExtendedQueryString(str) {
268268
return qs.parse(str, {
269-
plainObjects: true
269+
allowPrototypes: true
270270
});
271271
}

test/req.query.js

Lines changed: 2 additions & 89 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@
33
var assert = require('node:assert')
44
var express = require('../')
55
, request = require('supertest');
6-
var qs = require('qs');
76

87
describe('req', function(){
98
describe('.query', function(){
@@ -39,22 +38,6 @@ describe('req', function(){
3938
.get('/?user.name=tj')
4039
.expect(200, '{"user.name":"tj"}', done);
4140
});
42-
43-
it('should not be able to access object prototype properties', function (done) {
44-
var app = createApp('extended', true);
45-
46-
request(app)
47-
.get('/?foo=yee')
48-
.expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
49-
});
50-
51-
it('should be able to use object prototype property names as keys', function (done) {
52-
var app = createApp('extended', true);
53-
54-
request(app)
55-
.get('/?hasOwnProperty=yee')
56-
.expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
57-
});
5841
});
5942

6043
describe('when "query parser" is simple', function () {
@@ -65,22 +48,6 @@ describe('req', function(){
6548
.get('/?user%5Bname%5D=tj')
6649
.expect(200, '{"user[name]":"tj"}', done);
6750
});
68-
69-
it('should not be able to access object prototype properties', function (done) {
70-
var app = createApp('simple', true);
71-
72-
request(app)
73-
.get('/?foo=yee')
74-
.expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
75-
});
76-
77-
it('should be able to use object prototype property names as keys', function (done) {
78-
var app = createApp('simple', true);
79-
80-
request(app)
81-
.get('/?hasOwnProperty=yee')
82-
.expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
83-
});
8451
});
8552

8653
describe('when "query parser" is a function', function () {
@@ -93,18 +60,6 @@ describe('req', function(){
9360
.get('/?user%5Bname%5D=tj')
9461
.expect(200, '{"length":17}', done);
9562
});
96-
97-
// test exists to verify behavior for folks wishing to workaround our qs defaults
98-
it('should drop object prototype property names and be able to access object prototype properties', function (done) {
99-
var app = createApp(
100-
function (str) {
101-
return qs.parse(str)
102-
}, true);
103-
104-
request(app)
105-
.get('/?hasOwnProperty=biscuits')
106-
.expect(200, '{"query":{},"hasOwnProperty":false}', done);
107-
});
10863
});
10964

11065
describe('when "query parser" disabled', function () {
@@ -115,22 +70,6 @@ describe('req', function(){
11570
.get('/?user%5Bname%5D=tj')
11671
.expect(200, '{}', done);
11772
});
118-
119-
it('should not be able to access object prototype properties', function (done) {
120-
var app = createApp('extended', true);
121-
122-
request(app)
123-
.get('/?foo=yee')
124-
.expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
125-
});
126-
127-
it('should be able to use object prototype property names as keys', function (done) {
128-
var app = createApp('extended', true);
129-
130-
request(app)
131-
.get('/?hasOwnProperty=yee')
132-
.expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
133-
});
13473
});
13574

13675
describe('when "query parser" enabled', function () {
@@ -141,22 +80,6 @@ describe('req', function(){
14180
.get('/?user%5Bname%5D=tj')
14281
.expect(200, '{"user[name]":"tj"}', done);
14382
});
144-
145-
it('should not be able to access object prototype properties', function (done) {
146-
var app = createApp('extended', true);
147-
148-
request(app)
149-
.get('/?foo=yee')
150-
.expect(200, /TypeError: req\.query\.hasOwnProperty is not a function/, done);
151-
});
152-
153-
it('should be able to use object prototype property names as keys', function (done) {
154-
var app = createApp('extended', true);
155-
156-
request(app)
157-
.get('/?hasOwnProperty=yee')
158-
.expect(200, '{"query":{"hasOwnProperty":"yee"},"error":"TypeError: req.query.hasOwnProperty is not a function"}', done);
159-
});
16083
});
16184

16285
describe('when "query parser" an unknown value', function () {
@@ -168,25 +91,15 @@ describe('req', function(){
16891
})
16992
})
17093

171-
function createApp(setting, isPrototypePropertyTest) {
94+
function createApp(setting) {
17295
var app = express();
17396

17497
if (setting !== undefined) {
17598
app.set('query parser', setting);
17699
}
177100

178101
app.use(function (req, res) {
179-
if(isPrototypePropertyTest) {
180-
try {
181-
var hasOwnProperty = req.query.hasOwnProperty('✨ express ✨');
182-
res.send({ query: req.query, hasOwnProperty: hasOwnProperty });
183-
} catch (error) {
184-
res.send({ query: req.query, error: error.toString() });
185-
}
186-
}
187-
else {
188-
res.send(req.query);
189-
}
102+
res.send(req.query);
190103
});
191104

192105
return app;

0 commit comments

Comments
 (0)