fix(transport-commons): Ensure socket queries are always plain objects (

#2597)
feathersjs · Apr 13, 2022 · 97313e1 · 97313e1
1 parent d719f54
commit 97313e1
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 87 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/transport-commons/src/socket/utils.ts b/packages/transport-commons/src/socket/utils.ts
@@ -91,7 +91,7 @@ export async function runMethod (app: Application, connection: RealTimeConnectio
     }
 
     const position = paramsPositions[method] !== undefined ? paramsPositions[method] : DEFAULT_PARAMS_POSITION;
-    const query = methodArgs[position] || {};
+    const query = Object.assign({}, methodArgs[position]);
     // `params` have to be re-mapped to the query and added with the route
     const params = Object.assign({ query, route, connection }, connection);
 

diff --git a/packages/transport-commons/test/socket/utils.test.ts b/packages/transport-commons/test/socket/utils.test.ts
@@ -2,6 +2,7 @@ import assert from 'assert';
 import { EventEmitter } from 'events';
 import { feathers, Application, Params } from '@feathersjs/feathers';
 import { NotAuthenticated } from '@feathersjs/errors';
+import { isPlainObject } from 'lodash';
 
 import { routing } from '../../src/routing';
 import {
@@ -189,11 +190,15 @@ describe('socket commons utils', () => {
     beforeEach(() => {
       app = feathers().configure(routing());
       app.use('/myservice', {
-        get (id: number|string, params: Params) {
+        async get (id: number|string, params: Params) {
           if (params.query.error) {
-            return Promise.reject(new NotAuthenticated('None shall pass'));
+            throw new NotAuthenticated('None shall pass');
           }
-          return Promise.resolve({ id });
+          if (!isPlainObject(params.query)) {
+            throw new Error('Query is not a plain object');
+          }
+
+          return { id };
         }
       });
     });
@@ -212,6 +217,21 @@ describe('socket commons utils', () => {
         runMethod(app, {}, 'myservice', 'get', [ 10, {}, callback ]);
       });
 
+      it('queries are always plain objects', done => {
+        const callback = (error: any, result: any) => {
+          if (error) {
+            return done(error);
+          }
+
+          assert.deepStrictEqual(result, { id: 10 });
+          done();
+        };
+
+        runMethod(app, {}, 'myservice', 'get', [ 10, {
+          __proto__: []
+        }, callback ]);
+      });
+
       it('merges params with connection and passes connection', done => {
         const connection = {
           testing: true