fix(pg-connection-string): prototype pollution via query strings

Author: hjr3

packages/pg-connection-string/index.js

@@ -14,7 +14,7 @@ function parse(str, options = {}) {
 
   // Check for empty host in URL
 
-  const config = {}
+  const config = Object.create(null)
   let result
   let dummyHost = false
   if (/ |%[^a-f0-9]|%[a-f0-9][^a-f0-9]/i.test(str)) {
@@ -164,7 +164,7 @@ function toConnectionOptions(sslConfig) {
     }
 
     return c
-  }, {})
+  }, Object.create(null))
 
   return connectionOptions
 }
@@ -200,7 +200,7 @@ function toClientConfig(config) {
     }
 
     return c
-  }, {})
+  }, Object.create(null))
 
   return poolConfig
 }

packages/pg-connection-string/test/clientConfig.ts

@@ -46,7 +46,7 @@ describe('toClientConfig', function () {
     const config = parse('pg:///?sslmode=no-verify')
     const clientConfig = toClientConfig(config)
 
-    clientConfig.ssl?.should.deep.equal({
+    expect(clientConfig.ssl).to.deep.equal({
       rejectUnauthorized: false,
     })
   })
@@ -55,14 +55,14 @@ describe('toClientConfig', function () {
     const config = parse('pg:///?sslmode=verify-ca')
     const clientConfig = toClientConfig(config)
 
-    clientConfig.ssl?.should.deep.equal({})
+    expect(clientConfig.ssl).to.deep.equal({})
   })
 
   it('converts other sslmode options', function () {
     const config = parse('pg:///?sslmode=verify-ca')
     const clientConfig = toClientConfig(config)
 
-    clientConfig.ssl?.should.deep.equal({})
+    expect(clientConfig.ssl).to.deep.equal({})
   })
 
   it('converts ssl cert options', function () {
@@ -77,7 +77,7 @@ describe('toClientConfig', function () {
     const config = parse(connectionString)
     const clientConfig = toClientConfig(config)
 
-    clientConfig.ssl?.should.deep.equal({
+    expect(clientConfig.ssl).to.deep.equal({
       ca: 'example ca\n',
       cert: 'example cert\n',
       key: 'example key\n',
@@ -106,9 +106,9 @@ describe('toClientConfig', function () {
 
     const clientConfig = toClientConfig(config)
 
-    clientConfig.host?.should.equal('boom')
-    clientConfig.database?.should.equal('lala')
-    clientConfig.ssl?.should.deep.equal({})
+    expect(clientConfig.host).to.equal('boom')
+    expect(clientConfig.database).to.equal('lala')
+    expect(clientConfig.ssl).to.deep.equal({})
   })
 })
 

packages/pg-connection-string/test/parse.ts

@@ -467,4 +467,38 @@ describe('parse', function () {
     const subject = parse(connectionString)
     subject.port?.should.equal('1234')
   })
+
+  describe('prototype pollution protection', function () {
+    it('returns object with null prototype', function () {
+      const subject = parse('postgres://localhost/db')
+      expect(Object.getPrototypeOf(subject)).to.equal(null)
+    })
+
+    it('__proto__ query parameter is stored as regular property', function () {
+      const subject = parse('postgres://localhost/db?__proto__=malicious')
+      expect(Object.getPrototypeOf(subject)).to.equal(null)
+      expect(subject['__proto__']).to.equal('malicious')
+      // global Object.prototype should not be affected
+      expect(({} as any).malicious).to.equal(undefined)
+    })
+
+    it('constructor query parameter is stored as regular property', function () {
+      const subject = parse('postgres://localhost/db?constructor=evil')
+      expect(subject.constructor).to.equal('evil')
+    })
+
+    it('prototype query parameter is stored as regular property', function () {
+      const subject = parse('postgres://localhost/db?prototype=evil')
+      expect(subject['prototype']).to.equal('evil')
+    })
+
+    it('multiple dangerous query parameters are handled safely', function () {
+      const subject = parse('postgres://localhost/db?__proto__=a&constructor=b&prototype=c&toString=d')
+      expect(Object.getPrototypeOf(subject)).to.equal(null)
+      expect(subject['__proto__']).to.equal('a')
+      expect(subject.constructor).to.equal('b')
+      expect(subject['prototype']).to.equal('c')
+      expect(subject['toString']).to.equal('d')
+    })
+  })
 })