querystring: allow querystring parse to handle __proto__ by jasnell · Pull Request #6044 · nodejs/node

jasnell · 2016-04-04T22:48:24Z

Pull Request check-list

Does make -j8 test (UNIX) or vcbuild test nosign (Windows) pass with
this change (including linting)?
Is the commit message formatted according to [CONTRIBUTING.md][0]?
If this change fixes a bug (or a performance problem), is a regression
test (or a benchmark) included?

Affected core subsystem(s)

querystring

Description of change

Per #5642, using querystring.parse to parse 'a=b&__proto__=1' causes the __proto__ to be swallowed and ignored. This works around the limitation by temporarily setting the prototype of the parsed obj to null during the parse, then setting it back before returning.

The rest of the existing implementation remains the same.

Fixes: #5642

/cc @mscdex @WebReflection

mscdex · 2016-04-04T22:56:59Z

If this change is going to be made, wouldn't it be simpler to just use Object.create(null) instead of {} for obj? What is the performance difference if there is any?

jasnell · 2016-04-04T23:10:54Z

Interesting... using Object.create(null) gives a slight performance edge in a simple benchmark:

'use strict';
var common = require('../common.js');
var querystring = require('querystring');
var v8 = require('v8');

var bench = common.createBenchmark(main, {
  n: [1e6],
});

function main(conf) {
  var n = conf.n | 0;

  const input = 'a=b&__proto__=1';

  v8.setFlagsFromString('--allow_natives_syntax');
  querystring.parse(input);
  eval('%OptimizeFunctionOnNextCall(querystring.parse)');
  querystring.parse(input);

  var i;
  bench.start();
  for (i = 0; i < n; i += 1)
    querystring.parse(input);
  bench.end(n);
}

jasnell · 2016-04-04T23:17:20Z

@mscdex ... updated to use Object.create(null).

mscdex · 2016-04-04T23:49:19Z

lib/querystring.js

Are we comfortable with this inconsistency?

mscdex · 2016-04-04T23:52:04Z

FWIW using Object.create(null) was already discussed in the linked issue and has its own set of performance regressions. Is this solution (out of the other suggested solutions in the linked issue) and its performance something that everyone can (mostly) agree on?

Fishrock123 · 2016-04-05T02:02:36Z

👎 Unless we can see that Object.create(null) isn't orders of magnitude slower. :/

mscdex · 2016-04-05T02:39:40Z

@Fishrock123 It still is.

@jasnell I think I may have found a solution that doesn't cause a performance regression and may even provide somewhat of a performance boost.

jasnell · 2016-04-05T05:07:35Z

Sigh, every time I benchmark this I'm getting different results. I'll switch it back to {} for now. What's the alternative you found @mscdex ?

Per nodejs#5642, using querystring.parse to parse 'a=b&__proto__=1' causes the `__proto__` to be swallowed and ignored. This works around the limitation by temporarily setting the prototype of the parsed obj to null during the parse, then setting it back before returning. Fixes: nodejs#5642

WebReflection · 2016-04-05T06:54:20Z

since you never know how much optimization could be done, I'd go for:

// begin
var obj = Object.setPrototypeOf({}, null);
// ... rest of the code ...
// end
return Object.setPrototypeOf(obj, Object.prototype);

at least it couldn't go more compact than that, and the returned value from setPrototypeOf doens't get wasted.

benjamingr · 2016-04-05T12:15:59Z

lib/querystring.js

+    return {};
  }

+  var obj = {};


Why not Object.create(null)?

Sorry, had this open for a while and GH refreshed so I just now noticed this was already discussed.

Sinewyk · 2016-04-05T16:55:48Z

Related: #6055

jasnell · 2016-04-07T16:40:29Z

Closing in favor of @mscdex's #6055

jasnell added the querystring Issues and PRs related to the built-in querystring module. label Apr 4, 2016

jasnell changed the title ~~querystring: all querystring parse to handle __proto__~~ querystring: allow querystring parse to handle __proto__ Apr 4, 2016

jasnell force-pushed the querystring-proto branch 2 times, most recently from f9b4060 to e0fb8dd Compare April 4, 2016 22:53

jasnell mentioned this pull request Apr 4, 2016

querystring: avoid conflicts with Object.prototype and __proto__ #5722

Closed

mscdex reviewed Apr 4, 2016
View reviewed changes

lib/querystring.js Outdated

Copy link

Contributor

mscdex Apr 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we comfortable with this inconsistency?

mscdex added the semver-major PRs that contain breaking changes and should be released in the next major version. label Apr 4, 2016

jasnell force-pushed the querystring-proto branch from 71d02ad to 8abf8a8 Compare April 5, 2016 05:13

benjamingr reviewed Apr 5, 2016
View reviewed changes

Sinewyk mentioned this pull request Apr 5, 2016

querystring: don't inherit from Object.prototype #6055

Merged

3 tasks

jasnell closed this Apr 7, 2016

Uh oh!

Conversation

jasnell commented Apr 4, 2016

Pull Request check-list

Affected core subsystem(s)

Description of change

Uh oh!

mscdex commented Apr 4, 2016

Uh oh!

jasnell commented Apr 4, 2016

Uh oh!

jasnell commented Apr 4, 2016

Uh oh!

mscdex Apr 4, 2016

Choose a reason for hiding this comment

Uh oh!

mscdex commented Apr 4, 2016

Uh oh!

Fishrock123 commented Apr 5, 2016

Uh oh!

mscdex commented Apr 5, 2016

Uh oh!

jasnell commented Apr 5, 2016

Uh oh!

WebReflection commented Apr 5, 2016

Uh oh!

benjamingr Apr 5, 2016

Choose a reason for hiding this comment

Uh oh!

benjamingr Apr 5, 2016

Choose a reason for hiding this comment

Uh oh!

Sinewyk commented Apr 5, 2016

Uh oh!

jasnell commented Apr 7, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants