fix: ensure arrayLength applies to [] notation as well

Author: AlessioGr

lib/parse.js

@@ -105,7 +105,12 @@ const parseValues = function parseQueryStringValues(str, options) {
 
     const existing = has.call(obj, key)
     if (existing && options.duplicates === 'combine') {
-      obj[key] = utils.combine(obj[key], val)
+      obj[key] = utils.combine(
+        obj[key],
+        val,
+        options.arrayLimit,
+        options.plainObjects
+    );
     } else if (!existing || options.duplicates === 'last') {
       obj[key] = val
     }
@@ -122,7 +127,19 @@ const parseObject = function (chain, val, options, valuesParsed) {
     const root = chain[i]
 
     if (root === '[]' && options.parseArrays) {
-      obj = options.allowEmptyArrays && leaf === '' ? [] : [].concat(leaf)
+      if (utils.isOverflow(leaf)) {
+        // leaf is already an overflow object, preserve it
+        obj = leaf;
+    } else {
+        obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
+            ? []
+            : utils.combine(
+                [],
+                leaf,
+                options.arrayLimit,
+                options.plainObjects
+            );
+    }
     } else {
       obj = options.plainObjects ? Object.create(null) : {}
       const cleanRoot =

lib/utils.js

@@ -5,6 +5,26 @@ import * as formats from './formats.js'
 const has = Object.prototype.hasOwnProperty
 const isArray = Array.isArray
 
+const overflowChannel = new WeakMap();
+
+var markOverflow = function markOverflow(obj, maxIndex) {
+    overflowChannel.set(obj, maxIndex);
+    return obj;
+};
+
+export function isOverflow(obj) {
+    return overflowChannel.has(obj);
+};
+
+var getMaxIndex = function getMaxIndex(obj) {
+    return overflowChannel.get(obj);
+};
+
+var setMaxIndex = function setMaxIndex(obj, maxIndex) {
+    overflowChannel.set(obj, maxIndex);
+};
+
+
 const hexTable = (function () {
   const array = []
   for (let i = 0; i < 256; ++i) {
@@ -54,7 +74,12 @@ export const merge = function merge(target, source, options) {
     if (isArray(target)) {
       target.push(source)
     } else if (target && typeof target === 'object') {
-      if (
+      if (isOverflow(target)) {
+        // Add at next numeric index for overflow objects
+        var newIndex = getMaxIndex(target) + 1;
+        target[newIndex] = source;
+        setMaxIndex(target, newIndex);
+    } else if (
         (options && (options.plainObjects || options.allowPrototypes)) ||
         !has.call(Object.prototype, source)
       ) {
@@ -68,6 +93,18 @@ export const merge = function merge(target, source, options) {
   }
 
   if (!target || typeof target !== 'object') {
+    if (isOverflow(source)) {
+      // Create new object with target at 0, source values shifted by 1
+      var sourceKeys = Object.keys(source);
+      var result = options && options.plainObjects
+          ? { __proto__: null, 0: target }
+          : { 0: target };
+      for (var m = 0; m < sourceKeys.length; m++) {
+          var oldKey = parseInt(sourceKeys[m], 10);
+          result[oldKey + 1] = source[sourceKeys[m]];
+      }
+      return markOverflow(result, getMaxIndex(source) + 1);
+  }
     return [target].concat(source)
   }
 
@@ -238,9 +275,21 @@ export const isBuffer = function isBuffer(obj) {
   return !!(obj.constructor && obj.constructor.isBuffer && obj.constructor.isBuffer(obj))
 }
 
-export const combine = function combine(a, b) {
-  return [].concat(a, b)
-}
+export const combine = function combine(a, b, arrayLimit, plainObjects) {
+  // If 'a' is already an overflow object, add to it
+  if (isOverflow(a)) {
+      var newIndex = getMaxIndex(a) + 1;
+      a[newIndex] = b;
+      setMaxIndex(a, newIndex);
+      return a;
+  }
+
+  var result = [].concat(a, b);
+  if (result.length > arrayLimit) {
+      return markOverflow(arrayToObject(result, { plainObjects: plainObjects }), result.length - 1);
+  }
+  return result;
+};
 
 export const maybeMap = function maybeMap(val, fn) {
   if (isArray(val)) {

test/parse.cjs

@@ -246,11 +246,11 @@ test('parse()', async function (t) {
     st.deepEqual(qs.parse('a=b&a[0]=c'), { a: ['b', 'c'] })
 
     st.deepEqual(qs.parse('a[1]=b&a=c', { arrayLimit: 20 }), { a: ['b', 'c'] })
-    st.deepEqual(qs.parse('a[]=b&a=c', { arrayLimit: 0 }), { a: ['b', 'c'] })
+    st.deepEqual(qs.parse('a[]=b&a=c', { arrayLimit: 0 }), { a: { 0: 'b', 1: 'c' } });
     st.deepEqual(qs.parse('a[]=b&a=c'), { a: ['b', 'c'] })
 
     st.deepEqual(qs.parse('a=b&a[1]=c', { arrayLimit: 20 }), { a: ['b', 'c'] })
-    st.deepEqual(qs.parse('a=b&a[]=c', { arrayLimit: 0 }), { a: ['b', 'c'] })
+    st.deepEqual(qs.parse('a=b&a[]=c', { arrayLimit: 0 }), { a: { 0: 'b', 1: 'c' } });
     st.deepEqual(qs.parse('a=b&a[]=c'), { a: ['b', 'c'] })
 
     st.end()
@@ -416,7 +416,7 @@ test('parse()', async function (t) {
     )
     st.deepEqual(
       qs.parse('a[]=b&a[]&a[]=c&a[]=', { strictNullHandling: true, arrayLimit: 0 }),
-      { a: ['b', null, 'c', ''] },
+      { a: { 0: 'b', 1: null, 2: 'c', 3: '' } },
       'with arrayLimit 0 + array brackets: null then empty string works',
     )
 
@@ -427,7 +427,7 @@ test('parse()', async function (t) {
     )
     st.deepEqual(
       qs.parse('a[]=b&a[]=&a[]=c&a[]', { strictNullHandling: true, arrayLimit: 0 }),
-      { a: ['b', '', 'c', null] },
+      { a: { 0: 'b', 1: '', 2: 'c', 3: null } },
       'with arrayLimit 0 + array brackets: empty string then null works',
     )
 
@@ -1210,6 +1210,112 @@ test('parse()', async function (t) {
     st.end()
   })
 
+  test('DOS', function (t) {
+    var arr = [];
+    for (var i = 0; i < 105; i++) {
+        arr[arr.length] = 'x';
+    }
+    var attack = 'a[]=' + arr.join('&a[]=');
+    var result = qs.parse(attack, { arrayLimit: 100 });
+
+    t.notOk(Array.isArray(result.a), 'arrayLimit is respected: result is an object, not an array');
+    t.equal(Object.keys(result.a).length, 105, 'all values are preserved');
+
+    t.end();
+});
+
+test('arrayLimit boundary conditions', function (t) {
+    t.test('exactly at the limit stays as array', function (st) {
+        var result = qs.parse('a[]=1&a[]=2&a[]=3', { arrayLimit: 3 });
+        st.ok(Array.isArray(result.a), 'result is an array when exactly at limit');
+        st.deepEqual(result.a, ['1', '2', '3'], 'all values present');
+        st.end();
+    });
+
+    t.test('one over the limit converts to object', function (st) {
+        var result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4', { arrayLimit: 3 });
+        st.notOk(Array.isArray(result.a), 'result is not an array when over limit');
+        st.deepEqual(result.a, { 0: '1', 1: '2', 2: '3', 3: '4' }, 'all values preserved as object');
+        st.end();
+    });
+
+    t.test('arrayLimit 1 with two values', function (st) {
+        var result = qs.parse('a[]=1&a[]=2', { arrayLimit: 1 });
+        st.notOk(Array.isArray(result.a), 'result is not an array');
+        st.deepEqual(result.a, { 0: '1', 1: '2' }, 'both values preserved');
+        st.end();
+    });
+
+    t.end();
+});
+
+test('mixed array and object notation', function (t) {
+    t.test('array brackets with object key - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a[]=b&a[c]=d'),
+            { a: { 0: 'b', c: 'd' } },
+            'mixing [] and [key] converts to object'
+        );
+        st.end();
+    });
+
+    t.test('array index with object key - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a[0]=b&a[c]=d'),
+            { a: { 0: 'b', c: 'd' } },
+            'mixing [0] and [key] produces object'
+        );
+        st.end();
+    });
+
+    t.test('plain value with array brackets - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a=b&a[]=c', { arrayLimit: 20 }),
+            { a: ['b', 'c'] },
+            'plain value combined with [] stays as array under limit'
+        );
+        st.end();
+    });
+
+    t.test('array brackets with plain value - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a[]=b&a=c', { arrayLimit: 20 }),
+            { a: ['b', 'c'] },
+            '[] combined with plain value stays as array under limit'
+        );
+        st.end();
+    });
+
+    t.test('plain value with array index - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a=b&a[0]=c', { arrayLimit: 20 }),
+            { a: ['b', 'c'] },
+            'plain value combined with [0] stays as array under limit'
+        );
+        st.end();
+    });
+
+    t.test('multiple plain values with duplicates combine', function (st) {
+        st.deepEqual(
+            qs.parse('a=b&a=c&a=d', { arrayLimit: 20 }),
+            { a: ['b', 'c', 'd'] },
+            'duplicate plain keys combine into array'
+        );
+        st.end();
+    });
+
+    t.test('multiple plain values exceeding limit', function (st) {
+        st.deepEqual(
+            qs.parse('a=b&a=c&a=d', { arrayLimit: 2 }),
+            { a: { 0: 'b', 1: 'c', 2: 'd' } },
+            'duplicate plain keys convert to object when exceeding limit'
+        );
+        st.end();
+    });
+
+    t.end();
+});
+
   t.end()
 })
 

test/utils.cjs

@@ -70,6 +70,60 @@ test('merge()', async function (t) {
     },
   )
 
+  t.test('with overflow objects (from arrayLimit)', function (st) {
+    st.test('merges primitive into overflow object at next index', function (s2t) {
+        // Create an overflow object via combine
+        var overflow = utils.combine(['a'], 'b', 1, false);
+        s2t.ok(utils.isOverflow(overflow), 'overflow object is marked');
+        var merged = utils.merge(overflow, 'c');
+        s2t.deepEqual(merged, { 0: 'a', 1: 'b', 2: 'c' }, 'adds primitive at next numeric index');
+        s2t.end();
+    });
+
+    st.test('merges primitive into regular object with numeric keys normally', function (s2t) {
+        var obj = { 0: 'a', 1: 'b' };
+        s2t.notOk(utils.isOverflow(obj), 'plain object is not marked as overflow');
+        var merged = utils.merge(obj, 'c');
+        s2t.deepEqual(merged, { 0: 'a', 1: 'b', c: true }, 'adds primitive as key (not at next index)');
+        s2t.end();
+    });
+
+    st.test('merges primitive into object with non-numeric keys normally', function (s2t) {
+        var obj = { foo: 'bar' };
+        var merged = utils.merge(obj, 'baz');
+        s2t.deepEqual(merged, { foo: 'bar', baz: true }, 'adds primitive as key with value true');
+        s2t.end();
+    });
+
+    st.test('merges overflow object into primitive', function (s2t) {
+        // Create an overflow object via combine
+        var overflow = utils.combine([], 'b', 0, false);
+        s2t.ok(utils.isOverflow(overflow), 'overflow object is marked');
+        var merged = utils.merge('a', overflow);
+        s2t.ok(utils.isOverflow(merged), 'result is also marked as overflow');
+        s2t.deepEqual(merged, { 0: 'a', 1: 'b' }, 'creates object with primitive at 0, source values shifted');
+        s2t.end();
+    });
+
+    st.test('merges overflow object with multiple values into primitive', function (s2t) {
+        // Create an overflow object via combine
+        var overflow = utils.combine(['b'], 'c', 1, false);
+        s2t.ok(utils.isOverflow(overflow), 'overflow object is marked');
+        var merged = utils.merge('a', overflow);
+        s2t.deepEqual(merged, { 0: 'a', 1: 'b', 2: 'c' }, 'shifts all source indices by 1');
+        s2t.end();
+    });
+
+    st.test('merges regular object into primitive as array', function (s2t) {
+        var obj = { foo: 'bar' };
+        var merged = utils.merge('a', obj);
+        s2t.deepEqual(merged, ['a', { foo: 'bar' }], 'creates array with primitive and object');
+        s2t.end();
+    });
+
+    st.end();
+});
+
   t.end()
 })
 
@@ -136,6 +190,71 @@ test('combine()', async function (t) {
     st.end()
   })
 
+  t.test('with arrayLimit', function (st) {
+    st.test('under the limit', function (s2t) {
+        var combined = utils.combine(['a', 'b'], 'c', 10, false);
+        s2t.deepEqual(combined, ['a', 'b', 'c'], 'returns array when under limit');
+        s2t.ok(Array.isArray(combined), 'result is an array');
+        s2t.end();
+    });
+
+    st.test('exactly at the limit stays as array', function (s2t) {
+        var combined = utils.combine(['a', 'b'], 'c', 3, false);
+        s2t.deepEqual(combined, ['a', 'b', 'c'], 'stays as array when exactly at limit');
+        s2t.ok(Array.isArray(combined), 'result is an array');
+        s2t.end();
+    });
+
+    st.test('over the limit', function (s2t) {
+        var combined = utils.combine(['a', 'b', 'c'], 'd', 3, false);
+        s2t.deepEqual(combined, { 0: 'a', 1: 'b', 2: 'c', 3: 'd' }, 'converts to object when over limit');
+        s2t.notOk(Array.isArray(combined), 'result is not an array');
+        s2t.end();
+    });
+
+    st.test('with arrayLimit 0', function (s2t) {
+        var combined = utils.combine([], 'a', 0, false);
+        s2t.deepEqual(combined, { 0: 'a' }, 'converts single element to object with arrayLimit 0');
+        s2t.notOk(Array.isArray(combined), 'result is not an array');
+        s2t.end();
+    });
+
+    st.test('with plainObjects option', function (s2t) {
+        var combined = utils.combine(['a'], 'b', 1, true);
+        var expected = { __proto__: null, 0: 'a', 1: 'b' };
+        s2t.deepEqual(combined, expected, 'converts to object with null prototype');
+        s2t.equal(Object.getPrototypeOf(combined), null, 'result has null prototype when plainObjects is true');
+        s2t.end();
+    });
+
+    st.end();
+});
+
+t.test('with existing overflow object', function (st) {
+    st.test('adds to existing overflow object at next index', function (s2t) {
+        // Create overflow object first via combine
+        var overflow = utils.combine(['a'], 'b', 1, false);
+        s2t.ok(utils.isOverflow(overflow), 'initial object is marked as overflow');
+
+        var combined = utils.combine(overflow, 'c', 10, false);
+        s2t.equal(combined, overflow, 'returns the same object (mutated)');
+        s2t.deepEqual(combined, { 0: 'a', 1: 'b', 2: 'c' }, 'adds value at next numeric index');
+        s2t.end();
+    });
+
+    st.test('does not treat plain object with numeric keys as overflow', function (s2t) {
+        var plainObj = { 0: 'a', 1: 'b' };
+        s2t.notOk(utils.isOverflow(plainObj), 'plain object is not marked as overflow');
+
+        // combine treats this as a regular value, not an overflow object to append to
+        var combined = utils.combine(plainObj, 'c', 10, false);
+        s2t.deepEqual(combined, [{ 0: 'a', 1: 'b' }, 'c'], 'concatenates as regular values');
+        s2t.end();
+    });
+
+    st.end();
+});
+
   t.end()
 })