mazhehui
33e57c6f11
|
||
|---|---|---|
| .. | ||
| lib | ||
| .npmignore | ||
| LICENSE.md | ||
| README.md | ||
| package.json | ||
README.md
Bourne. JSON Bourne.
JSON.parse() drop-in replacement with prototype poisoning protection
Introduction
Consider this:
> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'
> const b = JSON.parse(a);
{ __proto__: { b: 5 } }
> b.b;
undefined
> const c = Object.assign({}, b);
{}
> c.b
5
The problem is that JSON.parse() retains the __proto__ property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.
API
Bourne.parse(text, [reviver], [options])
Parses a given JSON-formatted text into an object where:
text- the JSON text string.reviver- theJSON.parse()optionalreviverargument.options- optional configuration object where:protoAction- optional string with one of:'error'- throw aSyntaxErrorwhen a__proto__key is found. This is the default value.'remove'- deletes any__proto__keys from the result object.'ignore'- skips all validation (same as callingJSON.parse()directly).
Bourne.scan(obj, [options])
Scans a given object for prototype properties where:
obj- the object being scanned.options- optional configuration object where:protoAction- optional string with one of:'error'- throw aSyntaxErrorwhen a__proto__key is found. This is the default value.'remove'- deletes any__proto__keys from the inputobj.