Optimize code and fix bug / security issue

Author: hans00

README.md

@@ -30,28 +30,28 @@ benchmark             time (avg)             (min … max)       p75       p99
 -------------------------------------------------------- -----------------------------
 • basic
 -------------------------------------------------------- -----------------------------
-faster-qs         603.21 ns/iter   (547.73 ns … 1.14 µs) 607.07 ns   1.14 µs   1.14 µs
-qs                  6.72 µs/iter   (5.28 µs … 440.78 µs)   5.86 µs  16.99 µs  25.17 µs
-fast-querystring  490.43 ns/iter   (393.92 ns … 1.02 µs) 455.21 ns 974.32 ns   1.02 µs
-node:querystring  479.66 ns/iter (426.49 ns … 897.91 ns) 477.84 ns 814.14 ns 897.91 ns
+faster-qs         583.93 ns/iter   (533.32 ns … 1.22 µs) 568.81 ns   1.22 µs   1.22 µs
+qs                  5.96 µs/iter   (5.25 µs … 294.51 µs)   5.61 µs  13.49 µs  16.99 µs
+fast-querystring  408.39 ns/iter      (381.55 ns … 1 µs) 403.67 ns 600.15 ns      1 µs
+node:querystring  450.88 ns/iter (425.73 ns … 604.37 ns) 456.71 ns 532.03 ns 604.37 ns
 
 summary for basic
   faster-qs
-   1.26x slower than node:querystring
-   1.23x slower than fast-querystring
-   11.14x faster than qs
+   1.43x slower than fast-querystring
+   1.3x slower than node:querystring
+   10.2x faster than qs
 
 • deep object
 -------------------------------------------------------- -----------------------------
-faster-qs           4.46 µs/iter      (4.29 µs … 4.9 µs)   4.55 µs    4.9 µs    4.9 µs
-qs                 17.48 µs/iter  (15.15 µs … 803.78 µs)  16.15 µs  33.99 µs  43.18 µs
-fast-querystring    1.21 µs/iter     (1.14 µs … 1.48 µs)   1.22 µs   1.48 µs   1.48 µs
-node:querystring    1.65 µs/iter     (1.54 µs … 2.05 µs)   1.65 µs   2.05 µs   2.05 µs
+faster-qs           3.37 µs/iter     (3.26 µs … 3.89 µs)   3.34 µs   3.89 µs   3.89 µs
+qs                 16.91 µs/iter   (15.2 µs … 274.57 µs)  16.08 µs  34.54 µs  51.02 µs
+fast-querystring     1.2 µs/iter     (1.16 µs … 1.36 µs)    1.2 µs   1.36 µs   1.36 µs
+node:querystring    1.63 µs/iter     (1.57 µs … 1.93 µs)   1.62 µs   1.93 µs   1.93 µs
 
 summary for deep object
   faster-qs
-   3.7x slower than fast-querystring
-   2.71x slower than node:querystring
-   3.92x faster than qs
+   2.82x slower than fast-querystring
+   2.07x slower than node:querystring
+   5.01x faster than qs
 
 ```

__tests__/index.mjs

@@ -1,5 +1,4 @@
 import chai from 'chai'
-import qs from 'qs'
 import parse from '../index.mjs'
 
 const expect = (payload, target) =>
@@ -46,6 +45,9 @@ describe('parse', () => {
     expect('a[a][a][][b]&a[a][a][][]&a[a][a][][][c]', {
       a: { a: { a: [ { b: '' }, [ '' ], [ { c: '' } ] ] } },
     })
+    expect('a=1&a[a]=1', {
+      a: '1',
+    })
   })
 
   it('drop insecure key', () => {
@@ -58,5 +60,8 @@ describe('parse', () => {
     expect('a[][__proto__]=1', {
       a: [{}],
     })
+    expect('a[]=1&a[length]=1e100&a[]=2', {
+      a: ['1', '2'],
+    })
   })
 })

benchmark/node.mjs

@@ -16,9 +16,12 @@ group('Array extend', () => {
   bench('Array.push spread', () => { const a = []; a.push(...[1]) })
 })
 
-group('typecheck', () => {
-  bench('typeof', () => typeof 1 === 'number')
-  bench('isArray', () => Array.isArray(1))
+group('isArray', () => {
+  const val = 0
+  bench('isArray', () => Array.isArray(val))
+  bench('constructor', () => val?.constructor === Array)
+  bench('instanceof', () => val instanceof Array)
+  bench('typeof', () => typeof val === 'object' && val.constructor === Array)
 })
 
 group('recursive vs iterative', () => {
@@ -66,4 +69,23 @@ group('loop keys vs entries', () => {
   })
 })
 
+group('includes vs indexOf', () => {
+  bench('includes', () => [1, 2, 3].includes(3))
+  bench('indexOf', () => [1, 2, 3].indexOf(3) !== -1)
+})
+
+group('Set vs Array', () => {
+  const set = new Set([1, 2, 3])
+  const arr = [1, 2, 3]
+  bench('Set', () => set.has(3))
+  bench('Array', () => arr.includes(3))
+})
+
+group('Key exists', () => {
+  const obj = {}
+  bench('get', () => obj['a'])
+  bench('in', () => 'a' in obj)
+  bench('hasOwnProperty', () => obj.hasOwnProperty('a'))
+})
+
 await run()

index.mjs

@@ -1,5 +1,10 @@
 import { parse as parser } from 'fast-querystring'
 
+const BAD_KEYS = new Set([
+  'length',
+  ...Object.getOwnPropertyNames(Object.prototype),
+])
+
 const isPosInt = (str) => {
   const n = Number(str)
   return Number.isInteger(n) && n >= 0
@@ -8,67 +13,67 @@ const isPosInt = (str) => {
 const resolvePath = (o, path, v=null, d) => {
   let next = path
   let cur = o
-  let l, r, k
-  for (; d > 0 || !next; d--) {
+  for (let l, r, k; d > 0 || !next; d--) {
     l = next.indexOf('[')
     r = next.indexOf(']')
     if (l === -1 || r === -1 || l > r) return { [next]: v }
     k = next.slice(l + 1, r) || cur?.length || 0
     next = next.slice(r + 1)
     if (isPosInt(k)) {
-      let i = Number(k)
-      if (!cur) cur = []
-      if (!o) o = cur
-      if (!Array.isArray(cur)) {
-        if (!k && !i) i = Object.keys(cur).length
-        cur = cur[i] = {}
+      if (!cur) {
+        cur = []
+        o = cur
+      }
+      if (!(cur instanceof Array)) {
+        if (!k) k = Object.keys(cur).length
+        cur = cur[k] = {}
         continue
       }
-      const extend = i - cur.length + 1
+      k = Number(k)
+      const extend = k - cur.length + 1
       if (extend > 0) {
         cur.push.apply(cur, Array(extend))
       }
-      if (next === '[]' && typeof v !== 'string') {
-        cur[i] = [...cur[i] ?? [], ...v]
-        return o
-      } else if (next) {
-        if (next.startsWith('[]')) {
-          cur = cur[k] ??= []
-        } else {
-          if (!cur[i]) cur[i] = {}
-          else if (Array.isArray(cur[i]))
-            cur[i] = { ...cur[i] }
-          cur = cur[i]
+      if (!next) {
+        if (typeof v !== 'string') { // join array
+          cur.splice(k, 1)
+          cur.push.apply(cur, v)
+        } else { // set index
+          cur[k] = v
         }
-      } else {
-        cur[i] = v
         return o
       }
-    } else if (!{}[k]) {
-      if (!cur) cur = {}
-      if (!o) o = cur
-      if (next) {
-        if (next.startsWith('[]')) {
-          cur = cur[k] ??= []
-        } else {
-          if (!cur[k]) cur[k] = {}
-          else if (Array.isArray(cur[k]))
-            cur[k] = { ...cur[k] }
-          cur = cur[k]
-        }
-      } else {
+    } else if (!BAD_KEYS.has(k)) {
+      if (!cur) {
+        cur = {}
+        o = cur
+      }
+      if (typeof cur === 'string') {
+        break
+      }
+      if (!next) {
         cur[k] = v
         return o
       }
     } else {
       break
     }
+    // resolve next cursor
+    if (next.startsWith('[]')) {
+      cur = cur[k] ??= []
+    } else {
+      cur[k] ??= {}
+      if (cur[k] instanceof Array)
+        cur[k] = { ...cur[k] }
+      cur = cur[k]
+    }
   }
-  if (Array.isArray(cur)) {
-    if (next) cur.push({ [next]: v })
-    else cur.push(v)
-  } else if (typeof cur === 'object') {
-    if (next) cur[next] = v
+  if (next) {
+    if (cur instanceof Array) {
+      cur.push({ [next]: v })
+    } else if (typeof cur === 'object') {
+      cur[next] = v
+    }
   }
   return o
 }
@@ -83,9 +88,9 @@ export default (str, depth=5) => {
     if (l > 0 && k.indexOf(']') > l) {
       const key = k.slice(0, l)
       const path = k.slice(l)
-      if (path === '[]') {
+      if (path === '[]') { // optimize 1d array
         if (key in o) {
-          if (!Array.isArray(o[key]))
+          if (!(o[key] instanceof Array))
             o[key] = [o[key]]
           o[key] = [].concat(o[key], v)
         } else o[key] = v