diff --git a/lib/_http_client.js b/lib/_http_client.js index c14e899dabbf04..95c05e2cd46e04 100644 --- a/lib/_http_client.js +++ b/lib/_http_client.js @@ -209,7 +209,7 @@ function ClientRequest(input, options, cb) { cb = options; options = input || kEmptyObject; } else { - options = ObjectAssign(input || {}, options); + options = ObjectAssign({ __proto__: null }, input, options); } let agent = options.agent; diff --git a/test/parallel/test-http-client-null-prototype-options.js b/test/parallel/test-http-client-null-prototype-options.js new file mode 100644 index 00000000000000..22e1b2dcec0f3a --- /dev/null +++ b/test/parallel/test-http-client-null-prototype-options.js @@ -0,0 +1,62 @@ +'use strict'; + +const common = require('../common'); +const assert = require('node:assert'); +const http = require('node:http'); + +const server = http.createServer(common.mustCall((req, res) => { + req.resume(); + req.on('end', common.mustCall(() => { + res.end('ok'); + })); +}, 2)); + +function makeRequest(options, callback) { + Object.defineProperty(Object.prototype, 'hostname', { + __proto__: null, + configurable: true, + get: common.mustNotCall('get %Object.prototype%.hostname'), + }); + + let req; + try { + req = http.request(options, callback); + } finally { + delete Object.prototype.hostname; + } + + req.on('error', common.mustNotCall()); + req.end(); +} + +server.listen(0, common.localhostIPv4, common.mustCall(() => { + const { address, port } = server.address(); + + makeRequest( + { + host: address, + port, + path: '/', + }, + common.mustCall((res) => { + assert.strictEqual(res.statusCode, 200); + res.resume(); + res.on('end', common.mustCall()); + }), + ); + + const nullProtoOptions = { __proto__: null, host: address, port, path: '/' }; + + assert.strictEqual(Object.getPrototypeOf(nullProtoOptions), null); + + makeRequest( + nullProtoOptions, + common.mustCall((res) => { + assert.strictEqual(res.statusCode, 200); + res.resume(); + res.on('end', common.mustCall(() => { + server.close(common.mustCall()); + })); + }), + ); +}));