qs 6.6.1 → 6.6.2

package/.claude/backport-record.md

@@ -0,0 +1,79 @@
+# Backport Record
+
+Commits to backport from main (v6.14.1..v6.14.2, excluding version bump):
+
+| # | SHA | Description |
+|---|-----|-------------|
+| 1 | 6744d30 | [Robustness] avoid `.push`, use `void` |
+| 2 | 6bdfaf5 | [readme] replace runkit/travis CI badge with shields.io check-runs badge |
+| 3 | 2a35775 | [meta] fix changelog typo |
+| 4 | 1b9a8b4 | [actions] fix rebase workflow permissions |
+| 5 | fbc5206 | [Fix] `parse`: fix error message |
+| 6 | f6a7abf | [Fix] `parse`: enforce arrayLimit on comma-parsed values |
+| 7 | febb644 | [Fix] `parse`: throw on arrayLimit exceeded with indexed notation |
+| 8 | cfc108f | [Fix] arrayLimit means max count, not max index |
+| 9 | 6addf8c | [Fix] `parse`: mark overflow objects for indexed notation |
+| 10 | 5c308e5 | [readme] clarify parseArrays and arrayLimit documentation |
+| 11 | 294db90 | [readme] document addQueryPrefix does not add ? to empty output |
+
+## Results
+
+| Version | Base Tag | Base SHA | Result HEAD | Applied | Skipped |
+|---------|----------|----------|-------------|---------|---------|
+| 6.14 | v6.14.2 | bdcf0c7 | bdcf0c7 | all | — |
+| 6.13 | v6.13.1 | f1ee037 | 625fa19 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.12 | v6.12.3 | f90cc35 | 8a1b294 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.11 | v6.11.2 | 410bdd3 | 3a5f714 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.10 | v6.10.5 | 95bc018 | 8189da8 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.9 | v6.9.7 | 4cd0032 | 6a7a3bf | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.8 | v6.8.3 | 0db5538 | 76d53e9 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.7 | v6.7.3 | 834389a | 2991d8b | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.6 | v6.6.1 | 4cc653c | 7093153 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.5 | v6.5.3 | 298bfa5 | 40b77c3 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.4 | v6.4.1 | 486aa46 | d9ffe2b | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.3 | v6.3.3 | ff235b4 | b4824cb | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.2 | v6.2.4 | 90d9f2b | db7b937 | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.1 | v6.1.2 | 68ca039 | 3245e1f | 1,2,10 | 3,4,5,6,7,8,9,11 |
+| 6.0 | v6.0.4 | 10233c9 | b779be4 | 1,2,10 | 3,4,5,6,7,8,9,11 |
+
+## Legend for Applied/Skipped columns
+
+1=Robustness, 2=readme badge, 3=changelog typo, 4=actions permissions,
+5=error msg fix, 6=comma arrayLimit, 7=indexed throw, 8=count semantics,
+9=mark overflow, 10=parseArrays/arrayLimit docs, 11=addQueryPrefix docs
+
+## Notes
+
+- #2 (badge): v6.4+ had runkit badge replaced; v6.0-v6.3 had Travis badge replaced
+- #4 (actions): v6.2-v6.10 had permissions block ADDED (not modified); v6.0-v6.1 have no rebase.yml
+
+## Skip Reasons
+
+| Commit | Reason for skip |
+|--------|----------------|
+| 3 (2a35775) | v6.14.1-specific changelog — not applicable to other versions |
+| 5 (fbc5206) | Requires `throwOnLimitExceeded` option (v6.14.0+) |
+| 6 (f6a7abf) | Requires overflow system (`combine(a,b,arrayLimit,plainObjects)`) from v6.14.1 |
+| 7 (febb644) | Requires `throwOnLimitExceeded` option (v6.14.0+) |
+| 8 (cfc108f) | Requires overflow system from v6.14.1 |
+| 9 (6addf8c) | Requires overflow system from v6.14.1 |
+| 11 (294db90) | v6.4 and below lack `addQueryPrefix` in README |
+
+## Release Tags
+
+| Tag | SHA | Changelog Entries |
+|-----|-----|-------------------|
+| v6.13.2 | d8a8ab3 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.12.4 | a67173e | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.11.3 | 6302f35 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.10.6 | 1aa4bd9 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.9.8 | 479d4b1 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.8.4 | 0f2b1e2 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.7.4 | d38e43a | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.6.2 | 5e1c72c | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.5.4 | c190488 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.4.2 | 9b50144 | Robustness, readme #543, readme badge (runkit+travis), actions |
+| v6.3.4 | aa3f9f4 | Robustness, readme #543, readme badge (travis), actions |
+| v6.2.5 | d68f354 | Robustness, readme #543, readme badge (travis), actions |
+| v6.1.3 | cb45ba1 | Robustness, readme #543, readme badge (travis) |
+| v6.0.5 | a73f299 | Robustness, readme #543, readme badge (travis) |

package/.claude/ghsa-2856-comment.md

@@ -0,0 +1,7 @@
+# GHSA-2856-wc6q-8xwc — Comment to post
+
+This is not a vulnerability. The described behavior only modifies properties on the **result object** returned by `qs.parse()` — it does not modify `Object.prototype` or any shared state. Setting `toString` or `hasOwnProperty` on a specific result object is not prototype pollution; it's the expected outcome of parsing a key with that name.
+
+The `allowPrototypes` option exists precisely to control whether keys that shadow `Object.prototype` properties are allowed on result objects. When `depth <= 0` and brackets are present, the prototype check is applied to the bracketed form of the key rather than the stripped form — this is a minor inconsistency in the check, but the result is equivalent to what would happen with `allowPrototypes: true`, which is an explicitly supported configuration.
+
+Closing as not applicable.

package/.claude/ghsa-6rw7-update.md

@@ -0,0 +1,53 @@
+# GHSA-6rw7-vpxm-498p — Edits to make
+
+## Severity
+Change: High → Low
+
+## CVSS 3.1
+Old: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` (7.5 High)
+New: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L` (3.7 Low)
+
+Changes:
+- AC: L → H (requires non-default parameterLimit config for real impact)
+- A: H → L (bounded memory increase, not a crash/full DoS under defaults)
+
+## Description — replace with:
+
+### Summary
+
+The `arrayLimit` option in qs did not enforce limits for bracket notation (`a[]=1&a[]=2`), only for indexed notation (`a[0]=1`). This is a consistency bug; `arrayLimit` should apply uniformly across all array notations.
+
+**Note:** The default `parameterLimit` of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than `parameterLimit` regardless of `arrayLimit`, because each `a[]=value` consumes one parameter slot. The severity has been reduced accordingly.
+
+### Details
+
+The `arrayLimit` option only checked limits for indexed notation (`a[0]=1&a[1]=2`) but did not enforce it for bracket notation (`a[]=1&a[]=2`).
+
+**Vulnerable code** (`lib/parse.js:159-162`):
+```javascript
+if (root === '[]' && options.parseArrays) {
+    obj = utils.combine([], leaf);  // No arrayLimit check
+}
+```
+
+**Working code** (`lib/parse.js:175`):
+```javascript
+else if (index <= options.arrayLimit) {  // Limit checked here
+    obj = [];
+    obj[index] = leaf;
+}
+```
+
+### PoC
+
+```javascript
+const qs = require('qs');
+const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
+console.log(result.a.length);  // Output: 6 (should be max 5)
+```
+
+**Note on parameterLimit interaction:** The original advisory's "DoS demonstration" claimed a length of 10,000, but `parameterLimit` (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.
+
+### Impact
+
+Consistency bug in `arrayLimit` enforcement. With default `parameterLimit`, the practical DoS risk is negligible since `parameterLimit` already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when `parameterLimit` is explicitly set to a very high value.

package/.claude/ghsa-w7fw-comment.md

@@ -0,0 +1,10 @@
+# GHSA-w7fw-mjwx-w883 — Comment to post
+
+This is a valid report — thank you. The comma-split code path in `parseArrayValue` returned the split array immediately, bypassing the `arrayLimit` check. Unlike the bracket notation case (GHSA-6rw7-vpxm-498p), this genuinely bypasses `parameterLimit` as well, since a single parameter like `a=x,x,x,...` produces an arbitrarily large array from one `&`-delimited parameter.
+
+A fix has been implemented: after the comma split and decode step, if the resulting array exceeds `arrayLimit`, it is converted to an object (consistent with other `arrayLimit` exceedances), and `throwOnLimitExceeded` is respected.
+
+A few corrections to the advisory:
+- **Severity should be Medium, not High**: This requires the non-default `comma: true` option to be explicitly enabled. HTTP server request size limits also bound the practical impact.
+- **Vulnerable version range**: Should be `<= 6.14.1` (not `< 6.14.1`), since 6.14.1 is also affected.
+- **Patched version**: Will be set once the fix is released.

package/.claude/settings.local.json

@@ -0,0 +1,36 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm run lint:*)",
+      "Bash(npm test:*)",
+      "Bash(npm run tests-only:*)",
+      "Bash(npm show:*)",
+      "Bash(git log:*)",
+      "Bash(git tag:*)",
+      "Bash(npm view:*)",
+      "Bash(git fetch:*)",
+      "Bash(git cat-file:*)",
+      "Bash(git show:*)",
+      "Bash(git rev-parse:*)",
+      "Bash(git rev-list:*)",
+      "Bash(gh api:*)",
+      "Bash(node /tmp/qs-vuln-test.js:*)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git show 3086902 --stat)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git diff HEAD -- lib/parse.js lib/utils.js)",
+      "Bash(open:*)",
+      "WebSearch",
+      "WebFetch(domain:www.first.org)",
+      "WebFetch(domain:nvd.nist.gov)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git diff origin/main...HEAD)",
+      "Bash(for ver in v6.13.1 v6.12.3 v6.11.2 v6.10.5 v6.9.7 v6.8.3 v6.7.3 v6.6.1 v6.5.3 v6.4.1 v6.3.3 v6.2.4 v6.1.2 v6.0.4)",
+      "Bash(do echo '=== $ver ===')",
+      "Bash(done)",
+      "Bash(git checkout:*)",
+      "Bash(cd /Users/ljharb/git/ljharb/qs.git git add README.md git commit --no-verify --no-gpg-sign -m \"[readme] replace travis CI badge with shields.io check-runs badge\")",
+      "Bash(npm run dist:*)",
+      "Bash(for tag in v6.13.2 v6.12.4 v6.11.3 v6.10.6 v6.9.8 v6.8.4 v6.7.4 v6.6.2 v6.5.4 v6.4.2 v6.3.4 v6.2.5 v6.1.3 v6.0.5)",
+      "Bash(gh run view:*)"
+    ]
+  }
+}

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+## **6.6.2**
+- [Robustness] avoid `.push`, use `void`
+- [readme] clarify `parseArrays` and `arrayLimit` documentation (#543)
+- [readme] document that `addQueryPrefix` does not add `?` to empty output (#418)
+- [readme] replace runkit CI badge with shields.io check-runs badge
+- [actions] fix rebase workflow permissions
+
 ## **6.6.1**
 - [Fix] `parse`: ignore `__proto__` keys (#428)
 - [Fix] fix for an impossible situation: when the formatter is called with a non-string value

package/README.md

@@ -238,7 +238,7 @@ var withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c');
 assert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });
 ```
 
-**qs** will also limit specifying indices in an array to a maximum index of `20`. Any array members with an index of greater than `20` will
+**qs** will also limit arrays to a maximum of `20` elements. Any array members with an index of `20` or greater will
 instead be converted to an object with the index as the key. This is needed to handle cases when someone sent, for example, `a[999999999]` and it will take significant time to iterate over this huge array.
 
 ```javascript
@@ -253,7 +253,7 @@ var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });
 assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
 ```
 
-To disable array parsing entirely, set `parseArrays` to `false`.
+To prevent array syntax (`a[]`, `a[0]`) from being parsed as arrays, set `parseArrays` to `false`.
 
 ```javascript
 var noParsingArrays = qs.parse('a[]=b', { parseArrays: false });
@@ -417,6 +417,12 @@ The query string may optionally be prepended with a question mark:
 assert.equal(qs.stringify({ a: 'b', c: 'd' }, { addQueryPrefix: true }), '?a=b&c=d');
 ```
 
+Note that when the output is an empty string, the prefix will not be added:
+
+```javascript
+assert.equal(qs.stringify({}, { addQueryPrefix: true }), '');
+```
+
 The delimiter may be overridden with stringify as well:
 
 ```javascript
@@ -592,5 +598,5 @@ The maintainers of qs and thousands of other packages are working with Tidelift
 [downloads-url]: https://npm-stat.com/charts.html?package=qs
 [codecov-image]: https://codecov.io/gh/ljharb/qs/branch/main/graphs/badge.svg
 [codecov-url]: https://app.codecov.io/gh/ljharb/qs/
-[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/qs
+[actions-image]: https://img.shields.io/github/check-runs/ljharb/qs/main
 [actions-url]: https://github.com/ljharb/qs/actions

package/dist/qs.js

@@ -82,7 +82,7 @@ var charsetSentinel = 'utf8=%E2%9C%93'; // encodeURIComponent('✓')
 var parseValues = function parseQueryStringValues(str, options) {
     var obj = {};
     var cleanStr = options.ignoreQueryPrefix ? str.replace(/^\?/, '') : str;
-    var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit;
+    var limit = options.parameterLimit === Infinity ? void undefined : options.parameterLimit;
     var parts = cleanStr.split(options.delimiter, limit);
     var skipIndex = -1; // Keep track of where the utf8 sentinel was found
     var i;
@@ -197,7 +197,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) {
             }
         }
 
-        keys.push(parent);
+        keys[keys.length] = parent;
     }
 
     // Loop through children appending to the array until we hit depth
@@ -210,13 +210,13 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) {
                 return;
             }
         }
-        keys.push(segment[1]);
+        keys[keys.length] = segment[1];
     }
 
     // If there's a remainder, just add whatever is left
 
     if (segment) {
-        keys.push('[' + key.slice(segment.index) + ']');
+        keys[keys.length] = '[' + key.slice(segment.index + ']');
     }
 
     return parseObject(keys, val, options);
@@ -555,7 +555,7 @@ var isArray = Array.isArray;
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
-        array.push('%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase());
+        array[array.length] = '%' + ((i < 16 ? '0' : '' + i.toString(16)).toUpperCase());
     }
 
     return array;
@@ -571,7 +571,7 @@ var compactQueue = function compactQueue(queue) {
 
             for (var j = 0; j < obj.length; ++j) {
                 if (typeof obj[j] !== 'undefined') {
-                    compacted.push(obj[j]);
+                    compacted[compacted.length] = obj[j];
                 }
             }
 
@@ -598,7 +598,7 @@ var merge = function merge(target, source, options) {
 
     if (typeof source !== 'object') {
         if (isArray(target)) {
-            target.push(source);
+            target[target.length] = source;
         } else if (target && typeof target === 'object') {
             if ((options && (options.plainObjects || options.allowPrototypes)) || !has.call(Object.prototype, source)) {
                 target[source] = true;
@@ -626,7 +626,7 @@ var merge = function merge(target, source, options) {
                 if (targetItem && typeof targetItem === 'object' && item && typeof item === 'object') {
                     target[i] = merge(targetItem, item, options);
                 } else {
-                    target.push(item);
+                    target[target.length] = item;
                 }
             } else {
                 target[i] = item;
@@ -739,8 +739,8 @@ var compact = function compact(value) {
             var key = keys[j];
             var val = obj[key];
             if (typeof val === 'object' && val !== null && refs.indexOf(val) === -1) {
-                queue.push({ obj: obj, prop: key });
-                refs.push(val);
+                queue[queue.length] = { obj: obj, prop: key };
+                refs[refs.length] = val;
             }
         }
     }

package/lib/parse.js

@@ -40,7 +40,7 @@ var charsetSentinel = 'utf8=%E2%9C%93'; // encodeURIComponent('✓')
 var parseValues = function parseQueryStringValues(str, options) {
     var obj = {};
     var cleanStr = options.ignoreQueryPrefix ? str.replace(/^\?/, '') : str;
-    var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit;
+    var limit = options.parameterLimit === Infinity ? void undefined : options.parameterLimit;
     var parts = cleanStr.split(options.delimiter, limit);
     var skipIndex = -1; // Keep track of where the utf8 sentinel was found
     var i;
@@ -155,7 +155,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) {
             }
         }
 
-        keys.push(parent);
+        keys[keys.length] = parent;
     }
 
     // Loop through children appending to the array until we hit depth
@@ -168,13 +168,13 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) {
                 return;
             }
         }
-        keys.push(segment[1]);
+        keys[keys.length] = segment[1];
     }
 
     // If there's a remainder, just add whatever is left
 
     if (segment) {
-        keys.push('[' + key.slice(segment.index) + ']');
+        keys[keys.length] = '[' + key.slice(segment.index + ']');
     }
 
     return parseObject(keys, val, options);

package/lib/utils.js

@@ -6,7 +6,7 @@ var isArray = Array.isArray;
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
-        array.push('%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase());
+        array[array.length] = '%' + ((i < 16 ? '0' : '' + i.toString(16)).toUpperCase());
     }
 
     return array;
@@ -22,7 +22,7 @@ var compactQueue = function compactQueue(queue) {
 
             for (var j = 0; j < obj.length; ++j) {
                 if (typeof obj[j] !== 'undefined') {
-                    compacted.push(obj[j]);
+                    compacted[compacted.length] = obj[j];
                 }
             }
 
@@ -49,7 +49,7 @@ var merge = function merge(target, source, options) {
 
     if (typeof source !== 'object') {
         if (isArray(target)) {
-            target.push(source);
+            target[target.length] = source;
         } else if (target && typeof target === 'object') {
             if ((options && (options.plainObjects || options.allowPrototypes)) || !has.call(Object.prototype, source)) {
                 target[source] = true;
@@ -77,7 +77,7 @@ var merge = function merge(target, source, options) {
                 if (targetItem && typeof targetItem === 'object' && item && typeof item === 'object') {
                     target[i] = merge(targetItem, item, options);
                 } else {
-                    target.push(item);
+                    target[target.length] = item;
                 }
             } else {
                 target[i] = item;
@@ -190,8 +190,8 @@ var compact = function compact(value) {
             var key = keys[j];
             var val = obj[key];
             if (typeof val === 'object' && val !== null && refs.indexOf(val) === -1) {
-                queue.push({ obj: obj, prop: key });
-                refs.push(val);
+                queue[queue.length] = { obj: obj, prop: key };
+                refs[refs.length] = val;
             }
         }
     }

package/package.json

@@ -2,7 +2,7 @@
     "name": "qs",
     "description": "A querystring parser that supports nesting and arrays, with a depth limit",
     "homepage": "https://github.com/ljharb/qs",
-    "version": "6.6.1",
+    "version": "6.6.2",
     "repository": {
         "type": "git",
         "url": "https://github.com/ljharb/qs.git"