npm - qs - Versions diffs - 6.2.3 → 6.2.5 - Mend

qs 6.2.3 → 6.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/test/parse.js CHANGED Viewed

@@ -3,10 +3,11 @@
 var test = require('tape');
 var qs = require('../');
 var iconv = require('iconv-lite');
+var SaferBuffer = require('safer-buffer').Buffer;
 test('parse()', function (t) {
     t.test('parses a simple string', function (st) {
-        st.deepEqual(qs.parse('0=foo'), { '0': 'foo' });
+        st.deepEqual(qs.parse('0=foo'), { 0: 'foo' });
         st.deepEqual(qs.parse('foo=c++'), { foo: 'c  ' });
         st.deepEqual(qs.parse('a[>=]=23'), { a: { '>=': '23' } });
         st.deepEqual(qs.parse('a[<=>]==23'), { a: { '<=>': '=23' } });
@@ -84,7 +85,7 @@ test('parse()', function (t) {
     t.test('limits specific array indices to 20', function (st) {
         st.deepEqual(qs.parse('a[20]=a'), { a: ['a'] });
-        st.deepEqual(qs.parse('a[21]=a'), { a: { '21': 'a' } });
+        st.deepEqual(qs.parse('a[21]=a'), { a: { 21: 'a' } });
         st.end();
     });
@@ -115,11 +116,11 @@ test('parse()', function (t) {
     });
     t.test('transforms arrays to objects', function (st) {
-        st.deepEqual(qs.parse('foo[0]=bar&foo[bad]=baz'), { foo: { '0': 'bar', bad: 'baz' } });
-        st.deepEqual(qs.parse('foo[bad]=baz&foo[0]=bar'), { foo: { bad: 'baz', '0': 'bar' } });
-        st.deepEqual(qs.parse('foo[bad]=baz&foo[]=bar'), { foo: { bad: 'baz', '0': 'bar' } });
-        st.deepEqual(qs.parse('foo[]=bar&foo[bad]=baz'), { foo: { '0': 'bar', bad: 'baz' } });
-        st.deepEqual(qs.parse('foo[bad]=baz&foo[]=bar&foo[]=foo'), { foo: { bad: 'baz', '0': 'bar', '1': 'foo' } });
+        st.deepEqual(qs.parse('foo[0]=bar&foo[bad]=baz'), { foo: { 0: 'bar', bad: 'baz' } });
+        st.deepEqual(qs.parse('foo[bad]=baz&foo[0]=bar'), { foo: { bad: 'baz', 0: 'bar' } });
+        st.deepEqual(qs.parse('foo[bad]=baz&foo[]=bar'), { foo: { bad: 'baz', 0: 'bar' } });
+        st.deepEqual(qs.parse('foo[]=bar&foo[bad]=baz'), { foo: { 0: 'bar', bad: 'baz' } });
+        st.deepEqual(qs.parse('foo[bad]=baz&foo[]=bar&foo[]=foo'), { foo: { bad: 'baz', 0: 'bar', 1: 'foo' } });
         st.deepEqual(qs.parse('foo[0][a]=a&foo[0][b]=b&foo[1][a]=aa&foo[1][b]=bb'), { foo: [{ a: 'a', b: 'b' }, { a: 'aa', b: 'bb' }] });
         st.deepEqual(qs.parse('a[]=b&a[t]=u&a[hasOwnProperty]=c', { allowPrototypes: false }), { a: { 0: 'b', t: 'u' } });
@@ -135,16 +136,16 @@ test('parse()', function (t) {
         st.deepEqual(qs.parse('foo[0][0].baz=bar&fool.bad=baz', { allowDots: true }), { foo: [[{ baz: 'bar' }]], fool: { bad: 'baz' } });
         st.deepEqual(qs.parse('foo[0].baz[0]=15&foo[0].bar=2', { allowDots: true }), { foo: [{ baz: ['15'], bar: '2' }] });
         st.deepEqual(qs.parse('foo[0].baz[0]=15&foo[0].baz[1]=16&foo[0].bar=2', { allowDots: true }), { foo: [{ baz: ['15', '16'], bar: '2' }] });
-        st.deepEqual(qs.parse('foo.bad=baz&foo[0]=bar', { allowDots: true }), { foo: { bad: 'baz', '0': 'bar' } });
-        st.deepEqual(qs.parse('foo.bad=baz&foo[]=bar', { allowDots: true }), { foo: { bad: 'baz', '0': 'bar' } });
-        st.deepEqual(qs.parse('foo[]=bar&foo.bad=baz', { allowDots: true }), { foo: { '0': 'bar', bad: 'baz' } });
-        st.deepEqual(qs.parse('foo.bad=baz&foo[]=bar&foo[]=foo', { allowDots: true }), { foo: { bad: 'baz', '0': 'bar', '1': 'foo' } });
+        st.deepEqual(qs.parse('foo.bad=baz&foo[0]=bar', { allowDots: true }), { foo: { bad: 'baz', 0: 'bar' } });
+        st.deepEqual(qs.parse('foo.bad=baz&foo[]=bar', { allowDots: true }), { foo: { bad: 'baz', 0: 'bar' } });
+        st.deepEqual(qs.parse('foo[]=bar&foo.bad=baz', { allowDots: true }), { foo: { 0: 'bar', bad: 'baz' } });
+        st.deepEqual(qs.parse('foo.bad=baz&foo[]=bar&foo[]=foo', { allowDots: true }), { foo: { bad: 'baz', 0: 'bar', 1: 'foo' } });
         st.deepEqual(qs.parse('foo[0].a=a&foo[0].b=b&foo[1].a=aa&foo[1].b=bb', { allowDots: true }), { foo: [{ a: 'a', b: 'b' }, { a: 'aa', b: 'bb' }] });
         st.end();
     });
     t.test('correctly prunes undefined values when converting an array to an object', function (st) {
-        st.deepEqual(qs.parse('a[2]=b&a[99999999]=c'), { a: { '2': 'b', '99999999': 'c' } });
+        st.deepEqual(qs.parse('a[2]=b&a[99999999]=c'), { a: { 2: 'b', 99999999: 'c' } });
         st.end();
     });
@@ -156,7 +157,7 @@ test('parse()', function (t) {
     });
     t.test('doesn\'t produce empty keys', function (st) {
-        st.deepEqual(qs.parse('_r=1&'), { '_r': '1' });
+        st.deepEqual(qs.parse('_r=1&'), { _r: '1' });
         st.end();
     });
@@ -221,14 +222,14 @@ test('parse()', function (t) {
     });
     t.test('parses buffers correctly', function (st) {
-        var b = new Buffer('test');
+        var b = SaferBuffer.from('test');
         st.deepEqual(qs.parse({ a: b }), { a: b });
         st.end();
     });
     t.test('continues parsing when no parent is found', function (st) {
-        st.deepEqual(qs.parse('[]=&a=b'), { '0': '', a: 'b' });
-        st.deepEqual(qs.parse('[]&a=b', { strictNullHandling: true }), { '0': null, a: 'b' });
+        st.deepEqual(qs.parse('[]=&a=b'), { 0: '', a: 'b' });
+        st.deepEqual(qs.parse('[]&a=b', { strictNullHandling: true }), { 0: null, a: 'b' });
         st.deepEqual(qs.parse('[foo]=bar'), { foo: 'bar' });
         st.end();
     });
@@ -244,7 +245,7 @@ test('parse()', function (t) {
         st.end();
     });
-    t.test('should not throw when a native prototype has an enumerable property', { parallel: false }, function (st) {
+    t.test('should not throw when a native prototype has an enumerable property', function (st) {
         Object.prototype.crash = '';
         Array.prototype.crash = '';
         st.doesNotThrow(qs.parse.bind(null, 'a=b'));
@@ -282,14 +283,21 @@ test('parse()', function (t) {
     });
     t.test('allows overriding array limit', function (st) {
-        st.deepEqual(qs.parse('a[0]=b', { arrayLimit: -1 }), { a: { '0': 'b' } });
+        st.deepEqual(qs.parse('a[0]=b', { arrayLimit: -1 }), { a: { 0: 'b' } });
         st.deepEqual(qs.parse('a[-1]=b', { arrayLimit: -1 }), { a: { '-1': 'b' } });
-        st.deepEqual(qs.parse('a[0]=b&a[1]=c', { arrayLimit: 0 }), { a: { '0': 'b', '1': 'c' } });
+        st.deepEqual(qs.parse('a[0]=b&a[1]=c', { arrayLimit: 0 }), { a: { 0: 'b', 1: 'c' } });
         st.end();
     });
     t.test('allows disabling array parsing', function (st) {
-        st.deepEqual(qs.parse('a[0]=b&a[1]=c', { parseArrays: false }), { a: { '0': 'b', '1': 'c' } });
+        var indices = qs.parse('a[0]=b&a[1]=c', { parseArrays: false });
+        st.deepEqual(indices, { a: { 0: 'b', 1: 'c' } });
+        st.equal(Array.isArray(indices.a), false, 'parseArrays:false, indices case is not an array');
+        var emptyBrackets = qs.parse('a[]=b', { parseArrays: false });
+        st.deepEqual(emptyBrackets, { a: { 0: 'b' } });
+        st.equal(Array.isArray(emptyBrackets.a), false, 'parseArrays:false, empty brackets case is not an array');
         st.end();
     });
@@ -333,13 +341,13 @@ test('parse()', function (t) {
     t.test('parses an object and not child values', function (st) {
         var input = {
-            'user[name]': { 'pop[bob]': { 'test': 3 } },
+            'user[name]': { 'pop[bob]': { test: 3 } },
             'user[email]': null
         };
         var expected = {
             user: {
-                name: { 'pop[bob]': { 'test': 3 } },
+                name: { 'pop[bob]': { test: 3 } },
                 email: null
             }
         };
@@ -461,13 +469,73 @@ test('parse()', function (t) {
         st.deepEqual(
             qs.parse('a[b]=c&a=toString', { plainObjects: true }),
-            { a: { b: 'c', toString: true } },
+            { __proto__: null, a: { __proto__: null, b: 'c', toString: true } },
             'can overwrite prototype with plainObjects true'
         );
         st.end();
     });
+    t.test('dunder proto is ignored', function (st) {
+        var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
+        var result = qs.parse(payload, { allowPrototypes: true });
+        st.deepEqual(
+            result,
+            {
+                categories: {
+                    length: '42'
+                }
+            },
+            'silent [[Prototype]] payload'
+        );
+        var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
+        st.deepEqual(
+            plainResult,
+            {
+                __proto__: null,
+                categories: {
+                    __proto__: null,
+                    length: '42'
+                }
+            },
+            'silent [[Prototype]] payload: plain objects'
+        );
+        var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
+        st.notOk(Array.isArray(query.categories), 'is not an array');
+        st.notOk(query.categories instanceof Array, 'is not instanceof an array');
+        st.deepEqual(query.categories, { some: { json: 'toInject' } });
+        st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
+        st.deepEqual(
+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
+            {
+                foo: {
+                    bar: 'stuffs'
+                }
+            },
+            'hidden values'
+        );
+        st.deepEqual(
+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
+            {
+                __proto__: null,
+                foo: {
+                    __proto__: null,
+                    bar: 'stuffs'
+                }
+            },
+            'hidden values: plain objects'
+        );
+        st.end();
+    });
     t.test('can return null objects', { skip: !Object.create }, function (st) {
         var expected = Object.create(null);
         expected.a = Object.create(null);
@@ -486,25 +554,23 @@ test('parse()', function (t) {
     t.test('can parse with custom encoding', function (st) {
         st.deepEqual(qs.parse('%8c%a7=%91%e5%8d%e3%95%7b', {
             decoder: function (str) {
-                var reg = /\%([0-9A-F]{2})/ig;
+                var reg = /%([0-9A-F]{2})/ig;
                 var result = [];
                 var parts;
-                var last = 0;
-                while (parts = reg.exec(str)) {
+                // var last = 0;
+                while ((parts = reg.exec(str))) {
                     result.push(parseInt(parts[1], 16));
-                    last = parts.index + parts[0].length;
+                    // last = parts.index + parts[0].length;
                 }
-                return iconv.decode(new Buffer(result), 'shift_jis').toString();
+                return iconv.decode(SaferBuffer.from(result), 'shift_jis').toString();
             }
         }), { 県: '大阪府' });
         st.end();
     });
     t.test('throws error with wrong decoder', function (st) {
-        st.throws(function () {
-            qs.parse({}, {
-                decoder: 'string'
-            });
+        st['throws'](function () {
+            qs.parse({}, { decoder: 'string' });
         }, new TypeError('Decoder has to be a function.'));
         st.end();
     });

package/test/stringify.js CHANGED Viewed

@@ -3,6 +3,7 @@
 var test = require('tape');
 var qs = require('../');
 var iconv = require('iconv-lite');
+var SaferBuffer = require('safer-buffer').Buffer;
 test('stringify()', function (t) {
     t.test('stringifies a querystring object', function (st) {
@@ -39,7 +40,6 @@ test('stringify()', function (t) {
         st.end();
     });
     t.test('omits nested nulls when asked', function (st) {
         st.equal(qs.stringify({ a: { b: 'c', d: null } }, { skipNulls: true }), 'a%5Bb%5D=c');
         st.end();
@@ -194,8 +194,8 @@ test('stringify()', function (t) {
     });
     t.test('stringifies buffer values', function (st) {
-        st.equal(qs.stringify({ a: new Buffer('test') }), 'a=test');
-        st.equal(qs.stringify({ a: { b: new Buffer('test') } }), 'a%5Bb%5D=test');
+        st.equal(qs.stringify({ a: SaferBuffer.from('test') }), 'a=test');
+        st.equal(qs.stringify({ a: { b: SaferBuffer.from('test') } }), 'a%5Bb%5D=test');
         st.end();
     });
@@ -224,7 +224,7 @@ test('stringify()', function (t) {
         var calls = 0;
         var obj = { a: 'b', c: 'd', e: { f: new Date(1257894000000) } };
         var filterFunc = function (prefix, value) {
-            calls++;
+            calls += 1;
             if (calls === 1) {
                 st.equal(prefix, '', 'prefix is empty');
                 st.equal(value, obj);
@@ -258,20 +258,20 @@ test('stringify()', function (t) {
     t.test('can sort the keys at depth 3 or more too', function (st) {
         var sort = function (a, b) { return a.localeCompare(b); };
-        st.equal(qs.stringify({ a: 'a', z: { zj: {zjb: 'zjb', zja: 'zja'}, zi: {zib: 'zib', zia: 'zia'} }, b: 'b' }, { sort: sort, encode: false }), 'a=a&b=b&z[zi][zia]=zia&z[zi][zib]=zib&z[zj][zja]=zja&z[zj][zjb]=zjb');
-        st.equal(qs.stringify({ a: 'a', z: { zj: {zjb: 'zjb', zja: 'zja'}, zi: {zib: 'zib', zia: 'zia'} }, b: 'b' }, { sort: null, encode: false }), 'a=a&z[zj][zjb]=zjb&z[zj][zja]=zja&z[zi][zib]=zib&z[zi][zia]=zia&b=b');
+        st.equal(qs.stringify({ a: 'a', z: { zj: { zjb: 'zjb', zja: 'zja' }, zi: { zib: 'zib', zia: 'zia' } }, b: 'b' }, { sort: sort, encode: false }), 'a=a&b=b&z[zi][zia]=zia&z[zi][zib]=zib&z[zj][zja]=zja&z[zj][zjb]=zjb');
+        st.equal(qs.stringify({ a: 'a', z: { zj: { zjb: 'zjb', zja: 'zja' }, zi: { zib: 'zib', zia: 'zia' } }, b: 'b' }, { sort: null, encode: false }), 'a=a&z[zj][zjb]=zjb&z[zj][zja]=zja&z[zi][zib]=zib&z[zi][zia]=zia&b=b');
         st.end();
     });
     t.test('can stringify with custom encoding', function (st) {
-        st.equal(qs.stringify({ 県: '大阪府', '': ''}, {
+        st.equal(qs.stringify({ 県: '大阪府', '': '' }, {
             encoder: function (str) {
                 if (str.length === 0) {
                     return '';
                 }
                 var buf = iconv.encode(str, 'shiftjis');
                 var result = [];
-                for (var i=0; i < buf.length; ++i) {
+                for (var i = 0; i < buf.length; ++i) {
                     result.push(buf.readUInt8(i).toString(16));
                 }
                 return '%' + result.join('%');
@@ -281,7 +281,7 @@ test('stringify()', function (t) {
     });
     t.test('throws error with wrong encoder', function (st) {
-        st.throws(function () {
+        st['throws'](function () {
             qs.stringify({}, {
                 encoder: 'string'
             });
@@ -289,10 +289,8 @@ test('stringify()', function (t) {
         st.end();
     });
-    t.test('can use custom encoder for a buffer object', {
-        skip: typeof Buffer === 'undefined'
-    }, function (st) {
-        st.equal(qs.stringify({ a: new Buffer([1]) }, {
+    t.test('can use custom encoder for a buffer object', { skip: typeof Buffer === 'undefined' }, function (st) {
+        st.equal(qs.stringify({ a: SaferBuffer.from([1]) }, {
             encoder: function (buffer) {
                 if (typeof buffer === 'string') {
                     return buffer;

package/test/utils.js CHANGED Viewed

@@ -4,6 +4,26 @@ var test = require('tape');
 var utils = require('../lib/utils');
 test('merge()', function (t) {
+    t.deepEqual(utils.merge(null, true), [null, true], 'merges true into null');
+    t.deepEqual(utils.merge(null, [42]), [null, 42], 'merges null into an array');
     t.deepEqual(utils.merge({ a: 'b' }, { a: 'c' }), { a: ['b', 'c'] }, 'merges two objects with the same key');
+    var oneMerged = utils.merge({ foo: 'bar' }, { foo: { first: '123' } });
+    t.deepEqual(oneMerged, { foo: ['bar', { first: '123' }] }, 'merges a standalone and an object into an array');
+    var twoMerged = utils.merge({ foo: ['bar', { first: '123' }] }, { foo: { second: '456' } });
+    t.deepEqual(twoMerged, { foo: { 0: 'bar', 1: { first: '123' }, second: '456' } }, 'merges a standalone and two objects into an array');
+    var sandwiched = utils.merge({ foo: ['bar', { first: '123', second: '456' }] }, { foo: 'baz' });
+    t.deepEqual(sandwiched, { foo: ['bar', { first: '123', second: '456' }, 'baz'] }, 'merges an object sandwiched by two standalones into an array');
+    var nestedArrays = utils.merge({ foo: ['baz'] }, { foo: ['bar', 'xyzzy'] });
+    t.deepEqual(nestedArrays, { foo: ['baz', 'bar', 'xyzzy'] });
+    var noOptionsNonObjectSource = utils.merge({ foo: 'baz' }, 'bar');
+    t.deepEqual(noOptionsNonObjectSource, { foo: 'baz', bar: true });
     t.end();
 });

package/.eslintignore DELETED Viewed

	@@ -1 +0,0 @@
1	- dist

package/LICENSE DELETED Viewed

@@ -1,28 +0,0 @@
-Copyright (c) 2014 Nathan LaFreniere and other contributors.
-All rights reserved.
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-    * Redistributions of source code must retain the above copyright
-      notice, this list of conditions and the following disclaimer.
-    * Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-    * The names of any contributors may not be used to endorse or promote
-      products derived from this software without specific prior written
-      permission.
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS AND CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-                                  *   *   *
-The complete list of contributors can be found at: https://github.com/hapijs/qs/graphs/contributors