| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 |
- <a href="http://hapijs.com"><img src="https://raw.githubusercontent.com/hapijs/assets/master/images/family.png" width="180px" align="right" /></a>
- # Bourne. JSON Bourne.
- `JSON.parse()` drop-in replacement with prototype poisoning protection
- [](https://travis-ci.org/hapijs/bourne)
- ## Introduction
- Consider this:
- ```
- > const a = '{"__proto__":{ "b":5}}';
- '{"__proto__":{ "b":5}}'
- > const b = JSON.parse(a);
- { __proto__: { b: 5 } }
- > b.b;
- undefined
- > const c = Object.assign({}, b);
- {}
- > c.b
- 5
- ```
- The problem is that `JSON.parse()` retains the `__proto__` property as a plain object key. By
- itself, this is not a security issue. However, as soon as that object is assigned to another or
- iterated on and values copied, the `__proto__` property leaks and becomes the object's prototype.
- ## API
- ### `Bourne.parse(text, [reviver], [options])`
- Parses a given JSON-formatted text into an object where:
- - `text` - the JSON text string.
- - `reviver` - the `JSON.parse()` optional `reviver` argument.
- - `options` - optional configuration object where:
- - `protoAction` - optional string with one of:
- - `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value.
- - `'remove'` - deletes any `__proto__` keys from the result object.
- - `'ignore'` - skips all validation (same as calling `JSON.parse()` directly).
- ### `Bourne.scan(obj, [options])`
- Scans a given object for prototype properties where:
- - `obj` - the object being scanned.
- - `options` - optional configuration object where:
- - `protoAction` - optional string with one of:
- - `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value.
- - `'remove'` - deletes any `__proto__` keys from the input `obj`.
|
