Explicitly handle __proto__. Closes #21

hueniverse · hueniverse · commit 31a6c6e1f454 · 2020-02-12T23:22:07.000-08:00
diff --git a/lib/index.js b/lib/index.js
@@ -96,6 +96,10 @@ exports.disposition = function (header) {
     const result = {};
     parameters.replace(internals.contentDispositionParamRegex, ($0, $1, $2, $3, $4, $5) => {
 
+        if ($1 === '__proto__') {
+            throw Boom.badRequest('Invalid content-disposition header format includes invalid parameters');
+        }
+
         if ($2) {
             if (!$3) {
                 throw Boom.badRequest('Invalid content-disposition header format includes invalid parameters');
diff --git a/test/index.js b/test/index.js
@@ -163,4 +163,10 @@ describe('disposition()', () => {
         const header = 'form-data; filename=x';
         expect(() => Content.disposition(header)).to.throw('Invalid content-disposition header missing name parameter');
     });
+
+    it('errors on __proto__ param', () => {
+
+        const header = 'form-data; name="file"; filename=file.jpg; __proto__=x';
+        expect(() => Content.disposition(header)).to.throw('Invalid content-disposition header format includes invalid parameters');
+    });
 });
