Query String Parser

Medium+100 XPA08:2021 Software and Data Integrity FailuresCWE-1321

Prototype PollutionQuery Parsing

Scenario

Your API parses bracket-notation query strings — e.g. `user[name]=alice` — into nested objects.

The parser splits each key by `[` and `]` without validating individual segments, so an attacker can send `__proto__[isAdmin]=true` and pollute Object.prototype before any business logic runs.

Query string parsers are among the most common entry points for prototype pollution because user input is split into object keys automatically. Libraries like qs and querystring have shipped real CVEs for exactly this pattern.

Your Tasks

After splitting a key into its bracket segments, validate each segment.
Throw `'Prototype pollution detected'` if any segment equals `__proto__`, `constructor`, or `prototype`.
Return the correctly parsed object for safe query strings.

Examples

Example 1 — Exploit — prototype chain injection via query string

parseQueryString('__proto__[isAdmin]=true')
// throws: 'Prototype pollution detected'

Example 2 — Safe — bracket notation parsed correctly

parseQueryString('user[name]=alice&user[role]=viewer')
// returns: {user: {name: 'alice', role: 'viewer'}}

Constraints

›Throw exactly `'Prototype pollution detected'` on any forbidden segment.
›Support both flat keys (`id=123`) and bracket-notation keys (`user[name]=alice`).
›An empty query string must return an empty object without throwing.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/1321.html https://github.com/advisories/GHSA-p6mc-m468-83gw

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run