From 0eb16d8541838e80f3c2340a9ef93ded7c97290f Mon Sep 17 00:00:00 2001
From: Asjid Kalam <asjid.kalam@gmail.com>
Date: Tue, 25 Aug 2020 20:18:03 +0530
Subject: [PATCH] fixed prototype pollution

---
 src/php/strings/parse_str.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/php/strings/parse_str.js b/src/php/strings/parse_str.js
index db14a01262..d711008c35 100644
--- a/src/php/strings/parse_str.js
+++ b/src/php/strings/parse_str.js
@@ -74,6 +74,10 @@ module.exports = function parse_str (str, array) { // eslint-disable-line camelc
     key = _fixStr(tmp[0])
     value = (tmp.length < 2) ? '' : _fixStr(tmp[1])
 
+    if (key.includes('__proto__') || key.includes('constructor') || key.includes('prototype')) {
+      break;
+    }
+
     while (key.charAt(0) === ' ') {
       key = key.slice(1)
     }