Skip to content

fix(router): handle outlet named __proto__ when parsing url#69501

Open
arshsmith1 wants to merge 1 commit into
angular:mainfrom
arshsmith1:router-proto-outlet-name
Open

fix(router): handle outlet named __proto__ when parsing url#69501
arshsmith1 wants to merge 1 commit into
angular:mainfrom
arshsmith1:router-proto-outlet-name

Conversation

@arshsmith1

@arshsmith1 arshsmith1 commented Jun 24, 2026

Copy link
Copy Markdown

PR Checklist

PR Type

  • Bugfix

What is the current behavior?

Issue Number: N/A

A named outlet in a url group like /(name:child) is read verbatim from the url, so a url such as /one(__proto__:two) makes UrlParser.parseParens assign a UrlSegmentGroup to segments['__proto__']. On a plain object that assignment goes through the inherited __proto__ setter instead of creating an outlet, so the outlet is silently dropped and the map's prototype is replaced. url.parse('/one(__proto__:two)') therefore round-trips back to /one and reports a single child, and under Node started with --disable-proto=throw the same parse throws ERR_PROTO_ACCESS.

What is the new behavior?

The outlet map is built with Object.create(null), so __proto__ is treated as an ordinary key. The outlet is kept, the prototype is left untouched, and /one(__proto__:two) serializes back unchanged.

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@arshsmith1
fix(router): handle outlet named __proto__ when parsing url
7b5c8a9 
A url group outlet name is read verbatim, so a url like `/one(__proto__:two)` assigns a segment group to `segments['__proto__']` and goes through the inherited `__proto__` setter instead of creating the outlet. Build the outlet map with `Object.create(null)` so the name is treated as an ordinary key.
@pullapprove pullapprove Bot requested a review from atscott June 24, 2026 16:50
@ngbot ngbot Bot added this to the Backlog milestone Jun 24, 2026
@atscott

atscott commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Thanks! Can you please also update the following in this same PR to use Object.create(null) instead of {} and update the commit message to reflect these changes?

  1. squashSegmentGroup in packages/router/src/url_tree.ts (line 841)
  2. createSegmentGroup in packages/router/src/apply_redirects.ts (line 145)
  3. replaceSegment in packages/router/src/create_url_tree.ts (line 228)
  4. updateSegmentGroupChildren in packages/router/src/create_url_tree.ts (line 422)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@atscott atscott Awaiting requested review from atscott

Assignees

No one assigned

Labels

area: router

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

2 participants

@arshsmith1 @atscott