📅 You're Invited: Meet the Socket team at RSAC (April 28 – May 1).RSVP
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

bourne

Package Overview
Dependencies
Maintainers
4
Versions
9
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

bourne - npm Package Compare versions

Comparing version

1.1.2
to
1.3.3

LICENSE.md

13

lib/index.js

@@ -5,3 +5,3 @@ 'use strict';

const internals = {
suspectRx: /"(?:_|\\u005f)(?:_|\\u005f)(?:p|\\u0070)(?:r|\\u0072)(?:o|\\u006f)(?:t|\\u0074)(?:o|\\u006f)(?:_|\\u005f)(?:_|\\u005f)"\s*\:/
suspectRx: /"(?:_|\\u005[Ff])(?:_|\\u005[Ff])(?:p|\\u0070)(?:r|\\u0072)(?:o|\\u006[Ff])(?:t|\\u0074)(?:o|\\u006[Ff])(?:_|\\u005[Ff])(?:_|\\u005[Ff])"\s*\:/
};

@@ -88,1 +88,12 @@

};
exports.safeParse = function (text, reviver) {
try {
return exports.parse(text, reviver);
}
catch (ignoreError) {
return null;
}
};

16

package.json
{
"name": "bourne",
"description": "JSON parse with prototype poisoning protection",
"version": "1.1.2",
"version": "1.3.3",
"repository": "git://github.com/hapijs/bourne",
"engines": {
"node": ">=6.0.0"
},
"main": "lib/index.js",

@@ -15,11 +18,10 @@ "keywords": [

"devDependencies": {
"benchmark": "^2.1.4",
"code": "5.x.x",
"lab": "18.x.x"
"code": "4.x.x",
"lab": "14.x.x"
},
"scripts": {
"test": "lab -a code -t 100 -L",
"test-cov-html": "lab -a code -r html -o coverage.html"
"test": "lab -a code -t 100 -L -l",
"test-cov-html": "lab -a code -r html -o coverage.html -l"
},
"license": "BSD-3-Clause"
"license": "SEE LICENSE IN LICENSE.md"
}

49

README.md

@@ -0,1 +1,3 @@

<a href="http://hapijs.com"><img src="https://raw.githubusercontent.com/hapijs/assets/master/images/family.png" width="180px" align="right" /></a>
# Bourne. JSON Bourne.

@@ -5,47 +7,6 @@

## Introduction
[![Build Status](https://travis-ci.org/hapijs/bourne.svg?branch=v1-commercial)](https://travis-ci.org/hapijs/bourne)
Consider this:
## License
```
> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'
> const b = JSON.parse(a);
{ __proto__: { b: 5 } }
> b.b;
undefined
> const c = Object.assign({}, b);
{}
> c.b
5
```
The problem is that `JSON.parse()` retains the `__proto__` property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the `__proto__` property leaks and becomes the object's prototype.
## API
### `Bourne.parse(text, [reviver], [options])`
Parses a given JSON-formatted text into an object where:
- `text` - the JSON text string.
- `reviver` - the `JSON.parse()` optional `reviver` argument.
- `options` - optional configuration object where:
- `protoAction` - optional string with one of:
- `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value.
- `'remove'` - deletes any `__proto__` keys from the result object.
- `'ignore'` - skips all validation (same as calling `JSON.parse()` directly).
### `Bourne.scan(obj, [options])`
Scans a given object for prototype properties where:
- `obj` - the object being scanned.
- `options` - optional configuration object where:
- `protoAction` - optional string with one of:
- `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value.
- `'remove'` - deletes any `__proto__` keys from the input `obj`.
This version of the package requires a commercial license. You may not use, copy, or distribute it without first acquiring a commercial license from Sideway Inc. Using this software without a license is a violation of US and international law. To obtain a license, please contact [sales@sideway.com](mailto:sales@sideway.com). The open source version of this package can be found [here](https://github.com/hapijs/bourne).
LICENSE
.npmignore

Sorry, the diff of this file is not supported yet