🚨 [security] Update qs 6.11.0 → 6.14.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ qs (6.11.0 → 6.14.1) · Repo · Changelog

Security Advisories 🚨

🚨 qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

Summary

The arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.

Details

The arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}

The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.

PoC

Test 1 - Basic bypass:

npm install qs

const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)

Test 2 - DoS demonstration:

const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length);  // Output: 10000 (should be max 100)

Configuration:

• arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
• Use bracket notation: a[]=value (not indexed a[0]=value)

Impact

Denial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.

Attack scenario:

1. Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
2. Application parses with qs.parse(query, { arrayLimit: 100 })
3. qs ignores limit, parses all 100,000 elements into array
4. Server memory exhausted → application crashes or becomes unresponsive
5. Service unavailable for all users

Real-world impact:

• Single malicious request can crash server
• No authentication required
• Easy to automate and scale
• Affects any endpoint parsing query strings with bracket notation

Suggested Fix

Add arrayLimit validation to the bracket notation handler. The code already calculates currentArrayLength at line 147-151, but it's not used in the bracket notation handler at line 159.

Current code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
        ? []
        : utils.combine([], leaf);  // No arrayLimit check
}

Fixed code:

if (root === '[]' && options.parseArrays) {
    // Use currentArrayLength already calculated at line 147-151
    if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
        throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
    }
<span class="pl-c">// If limit exceeded and not throwing, convert to object (consistent with indexed notation behavior)</span>
<span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-s1">currentArrayLength</span> <span class="pl-c1">&gt;=</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-c1">arrayLimit</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
    <span class="pl-s1">obj</span> <span class="pl-c1">=</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-c1">plainObjects</span> ? <span class="pl-kos">{</span> <span class="pl-c1">__proto__</span>: <span class="pl-c1">null</span> <span class="pl-kos">}</span> : <span class="pl-kos">{</span><span class="pl-kos">}</span><span class="pl-kos">;</span>
    <span class="pl-s1">obj</span><span class="pl-kos">[</span><span class="pl-s1">currentArrayLength</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s1">leaf</span><span class="pl-kos">;</span>
<span class="pl-kos">}</span> <span class="pl-k">else</span> <span class="pl-kos">{</span>
    <span class="pl-s1">obj</span> <span class="pl-c1">=</span> <span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-c1">allowEmptyArrays</span> <span class="pl-c1">&amp;&amp;</span> <span class="pl-kos">(</span><span class="pl-s1">leaf</span> <span class="pl-c1">===</span> <span class="pl-s">''</span> <span class="pl-c1">||</span> <span class="pl-kos">(</span><span class="pl-s1">options</span><span class="pl-kos">.</span><span class="pl-c1">strictNullHandling</span> <span class="pl-c1">&amp;&amp;</span> <span class="pl-s1">leaf</span> <span class="pl-c1">===</span> <span class="pl-c1">null</span><span class="pl-kos">)</span><span class="pl-kos">)</span>
        ? <span class="pl-kos">[</span><span class="pl-kos">]</span>
        : <span class="pl-s1">utils</span><span class="pl-kos">.</span><span class="pl-en">combine</span><span class="pl-kos">(</span><span class="pl-kos">[</span><span class="pl-kos">]</span><span class="pl-kos">,</span> <span class="pl-s1">leaf</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
<span class="pl-kos">}</span>

}

This makes bracket notation behaviour consistent with indexed notation, enforcing arrayLimit and converting to object when limit is exceeded (per README documentation).

Release Notes

6.14.0 (from changelog)

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.1 (from changelog)

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup
• [Tests] utils.merge: add some coverage
• [Tests] fix a test case
• [actions] split out node 10-20, and 20+
• [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

6.13.0 (from changelog)

• [New] parse: add strictDepth option (#511)
• [Tests] use npm audit instead of aud

6.12.3 (from changelog)

• [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
• [meta] fix changelog indentation

6.12.2 (from changelog)

• [Fix] parse: parse encoded square brackets (#506)
• [readme] add CII best practices badge

6.11.2 (from changelog)

• [Fix] parse: Fix parsing when the global Object prototype is frozen (#473)
• [Tests] add passing test cases with empty keys (#473)

6.11.1 (from changelog)

• [Fix] stringify: encode comma values more consistently (#463)
• [readme] add usage of filter option for injecting custom serialization, i.e. of custom types (#447)
• [meta] remove extraneous code backticks (#457)
• [meta] fix changelog markdown
• [actions] update checkout action
• [actions] restrict action permissions
• [Dev Deps] update @ljharb/eslint-config, aud, object-inspect, tape

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)