@augustofarnese/qs-patch 6.15.0-patched.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/.editorconfig +46 -0
  2. package/.github/FUNDING.yml +12 -0
  3. package/.github/SECURITY.md +11 -0
  4. package/.github/THREAT_MODEL.md +78 -0
  5. package/.nycrc +13 -0
  6. package/CHANGELOG.md +806 -0
  7. package/LICENSE.md +29 -0
  8. package/README.md +758 -0
  9. package/dist/qs.js +141 -0
  10. package/eslint.config.mjs +56 -0
  11. package/lib/formats.js +23 -0
  12. package/lib/index.js +11 -0
  13. package/lib/parse.js +373 -0
  14. package/lib/stringify.js +356 -0
  15. package/lib/utils.js +342 -0
  16. package/package.json +90 -0
  17. package/test/empty-keys-cases.js +267 -0
  18. package/test/parse.js +1568 -0
  19. package/test/stringify.js +1310 -0
  20. package/test/utils.js +404 -0
package/.editorconfig ADDED
@@ -0,0 +1,46 @@
1
+ root = true
2
+
3
+ [*]
4
+ indent_style = space
5
+ indent_size = 4
6
+ end_of_line = lf
7
+ charset = utf-8
8
+ trim_trailing_whitespace = true
9
+ insert_final_newline = true
10
+ max_line_length = 180
11
+ quote_type = single
12
+
13
+ [test/*]
14
+ max_line_length = off
15
+
16
+ [LICENSE.md]
17
+ indent_size = off
18
+
19
+ [*.md]
20
+ max_line_length = off
21
+
22
+ [*.json]
23
+ max_line_length = off
24
+
25
+ [Makefile]
26
+ max_line_length = off
27
+
28
+ [CHANGELOG.md]
29
+ indent_style = space
30
+ indent_size = 2
31
+
32
+ [LICENSE]
33
+ indent_size = 2
34
+ max_line_length = off
35
+
36
+ [coverage/**/*]
37
+ indent_size = off
38
+ indent_style = off
39
+ indent = off
40
+ max_line_length = off
41
+
42
+ [.nycrc]
43
+ indent_style = tab
44
+
45
+ [tea.yaml]
46
+ indent_size = 2
package/.github/FUNDING.yml ADDED
@@ -0,0 +1,12 @@
1
+ # These are supported funding model platforms
2
+
3
+ github: [ljharb]
4
+ patreon: # Replace with a single Patreon username
5
+ open_collective: # Replace with a single Open Collective username
6
+ ko_fi: # Replace with a single Ko-fi username
7
+ tidelift: npm/qs
8
+ community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
9
+ liberapay: # Replace with a single Liberapay username
10
+ issuehunt: # Replace with a single IssueHunt username
11
+ otechie: # Replace with a single Otechie username
12
+ custom: # Replace with a single custom sponsorship URL
package/.github/SECURITY.md ADDED
@@ -0,0 +1,11 @@
1
+ # Security
2
+
3
+ Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
4
+
5
+ ## Incident Response Plan
6
+
7
+ Please see our [Incident Response Plan](https://github.com/ljharb/.github/blob/main/INCIDENT_RESPONSE_PLAN.md).
8
+
9
+ ## Threat Model
10
+
11
+ Please see [THREAT_MODEL.md](./THREAT_MODEL.md).
package/.github/THREAT_MODEL.md ADDED
@@ -0,0 +1,78 @@
1
+ ## Threat Model for qs (querystring parsing library)
2
+
3
+ ### 1. Library Overview
4
+
5
+ - **Library Name:** qs
6
+ - **Brief Description:** A JavaScript library for parsing and stringifying URL query strings, supporting nested objects and arrays. It is widely used in Node.js and web applications for processing query parameters[2][6][8].
7
+ - **Key Public APIs/Functions:** `qs.parse()`, `qs.stringify()`
8
+
9
+ ### 2. Define Scope
10
+
11
+ This threat model focuses on the core parsing and stringifying functionality, specifically the handling of nested objects and arrays, option validation, and cycle management in stringification.
12
+
13
+ ### 3. Conceptual System Diagram
14
+
15
+ ```
16
+ Caller Application → qs.parse(input, options) → Parsing Engine → Output Object
17
+
18
+ └→ Options Handling
19
+
20
+ Caller Application → qs.stringify(obj, options) → Stringifying Engine → Output String
21
+
22
+ └→ Options Handling
23
+ └→ Cycle Tracking
24
+ ```
25
+
26
+ **Trust Boundaries:**
27
+ - **Input string (parse):** May come from untrusted sources (e.g., user input, network requests)
28
+ - **Input object (stringify):** May contain cycles, which can lead to infinite loops during stringification
29
+ - **Options:** Provided by the caller
30
+ - **Cycle Tracking:** Used only during stringification to detect and handle circular references
31
+
32
+ ### 4. Identify Assets
33
+
34
+ - **Integrity of parsed output:** Prevent malicious manipulation of the output object structure, especially ensuring builtins/globals are not modified as a result of parse[3][4][8].
35
+ - **Confidentiality of processed data:** Avoid leaking sensitive information through errors or output.
36
+ - **Availability/performance for host application:** Prevent crashes or resource exhaustion in the consuming application.
37
+ - **Security of host application:** Prevent the library from being a vector for attacks (e.g., prototype pollution, DoS).
38
+ - **Reputation of library:** Maintain trust by avoiding supply chain attacks and vulnerabilities[1].
39
+
40
+ ### 5. Identify Threats
41
+
42
+ | Component / API / Interaction | S | T | R | I | D | E |
43
+ |---------------------------------------|----|----|----|----|----|----|
44
+ | Public API Call (`parse`) | – | ✓ | – | ✓ | ✓ | ✓ |
45
+ | Public API Call (`stringify`) | – | ✓ | – | ✓ | ✓ | – |
46
+ | Options Handling | ✓ | ✓ | – | ✓ | – | ✓ |
47
+ | Dependency Interaction | – | – | – | – | ✓ | – |
48
+
49
+ **Key Threats:**
50
+ - **Tampering:** Malicious input can, if not prevented, alter parsed output (e.g., prototype pollution via `__proto__`, modification of builtins/globals)[3][4][8].
51
+ - **Information Disclosure:** Error messages may expose internal details or sensitive data.
52
+ - **Denial of Service:** Large or malformed input can exhaust memory or CPU.
53
+ - **Elevation of Privilege:** Prototype pollution can lead to unintended privilege escalation in the host application[3][4][8].
54
+
55
+ ### 6. Mitigation/Countermeasures
56
+
57
+ | Threat Identified | Proposed Mitigation |
58
+ |---------------------------------------------------|---------------------|
59
+ | Tampering (malicious input, prototype pollution) | Strict input validation; keep `allowPrototypes: false` by default; use `plainObjects` for output; ensure builtins/globals are never modified by parse[4][8]. |
60
+ | Information Disclosure (error messages) | Generic error messages without stack traces or internal paths. |
61
+ | Denial of Service (memory/CPU exhaustion) | Enforce `arrayLimit` and `parameterLimit` with safe defaults; enable `throwOnLimitExceeded`; limit nesting depth[7]. |
62
+ | Elevation of Privilege (prototype pollution) | Keep `allowPrototypes: false`; validate options against allowlist; use `plainObjects` to avoid prototype pollution[4][8]. |
63
+
64
+ ### 7. Risk Ranking
65
+
66
+ - **High:** Denial of Service via array parsing or malformed input (historical vulnerability)
67
+ - **Medium:** Prototype pollution via options or input (if `allowPrototypes` enabled)
68
+ - **Low:** Information disclosure in errors
69
+
70
+ ### 8. Next Steps & Review
71
+
72
+ 1. **Audit option validation logic.**
73
+ 2. **Add depth limiting to nested parsing and stringification.**
74
+ 3. **Implement fuzz testing for parser and stringifier edge cases.**
75
+ 4. **Regularly review dependencies for vulnerabilities.**
76
+ 5. **Keep documentation and threat model up to date.**
77
+ 6. **Ensure builtins/globals are never modified as a result of parse.**
78
+ 7. **Support round-trip consistency between parse and stringify as a non-security goal, with the right options[5][9].**
package/.nycrc ADDED
@@ -0,0 +1,13 @@
1
+ {
2
+ "all": true,
3
+ "check-coverage": false,
4
+ "reporter": ["text-summary", "text", "html", "json"],
5
+ "lines": 86,
6
+ "statements": 85.93,
7
+ "functions": 82.43,
8
+ "branches": 76.06,
9
+ "exclude": [
10
+ "coverage",
11
+ "dist"
12
+ ]
13
+ }