Skip to content

Commit

Permalink
fix: handle malicious keys for hgetall (#1416)
Browse files Browse the repository at this point in the history
Closes #1267
  • Loading branch information
janus-dev87 committed Aug 18, 2021
1 parent dfacb8d commit 35dce8d
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
15 changes: 14 additions & 1 deletion lib/command.ts
Original file line number Diff line number Diff line change
Expand Up @@ -427,7 +427,20 @@ Command.setReplyTransformer("hgetall", function (result) {
if (Array.isArray(result)) {
const obj = {};
for (let i = 0; i < result.length; i += 2) {
obj[result[i]] = result[i + 1];
const key = result[i];
const value = result[i + 1];
if (obj[key]) {
// can only be truthy if the property is special somehow, like '__proto__' or 'constructor'
// https://github.com/luin/ioredis/issues/1267
Object.defineProperty(obj, key, {
value,
configurable: true,
enumerable: true,
writable: true,
});
} else {
obj[key] = value;
}
}
return obj;
}
Expand Down
12 changes: 12 additions & 0 deletions test/functional/hgetall.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
import Redis from "../../lib/redis";
import { expect } from "chai";

describe("hgetall", function () {
it("should handle __proto__", async function () {
const redis = new Redis();
await redis.hset("test_key", "__proto__", "hello");
const ret = await redis.hgetall("test_key");
expect(ret.__proto__).to.eql("hello");
expect(Object.keys(ret)).to.eql(["__proto__"]);
});
});

0 comments on commit 35dce8d

Please sign in to comment.