secure-json-parse
Advanced tools
JSON.parse() drop-in replacement with prototype poisoning protection.
Consider this:
> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'
> const b = JSON.parse(a);
{ __proto__: { b: 5 } }
> b.b;
undefined
> const c = Object.assign({}, b);
{}
> c.b
5
The problem is that JSON.parse() retains the __proto__ property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.
npm i secure-json-parse
Pass the option object as a second (or third) parameter for configuring the action to take in case of a bad JSON, if nothing is configured, the default is to throw a SyntaxError.
You can choose which action to perform in case __proto__ is present, and in case constructor.prototype is present.
const sjson = require('secure-json-parse')
const goodJson = '{ "a": 5, "b": 6 }'
const badJson = '{ "a": 5, "b": 6, "__proto__": { "x": 7 }, "constructor": {"prototype": {"bar": "baz"} } }'
console.log(JSON.parse(goodJson), sjson.parse(goodJson, undefined, { protoAction: 'remove', constructorAction: 'remove' }))
console.log(JSON.parse(badJson), sjson.parse(badJson, undefined, { protoAction: 'remove', constructorAction: 'remove' }))
sjson.parse(text, [reviver], [options])Parses a given JSON-formatted text into an object where:
text - the JSON text string.reviver - the JSON.parse() optional reviver argument.options - optional configuration object where:
protoAction - optional string with one of:
'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.'remove' - deletes any __proto__ keys from the result object.'ignore' - skips all validation (same as calling JSON.parse() directly).constructorAction - optional string with one of:
'error' - throw a SyntaxError when a constructor.prototype key is found. This is the default value.'remove' - deletes any constructor keys from the result object.'ignore' - skips all validation (same as calling JSON.parse() directly).safe - optional boolean:
true - returns null instead of throwing when a forbidden prototype property is found.false - default behavior (throws or removes based on protoAction/constructorAction).sjson.scan(obj, [options])Scans a given object for prototype properties where:
obj - the object being scanned.options - optional configuration object where:
protoAction - optional string with one of:
'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.'remove' - deletes any __proto__ keys from the input obj.constructorAction - optional string with one of:
'error' - throw a SyntaxError when a constructor.prototype key is found. This is the default value.'remove' - deletes any constructor keys from the input obj.safe - optional boolean:
true - returns null instead of throwing when a forbidden prototype property is found.false - default behavior (throws or removes based on protoAction/constructorAction).Machine: 2,7 GHz Quad-Core Intel Core i7
v14.8.0
> node ignore.js
JSON.parse x 679,376 ops/sec ±1.15% (84 runs sampled)
secure-json-parse x 649,605 ops/sec ±0.58% (87 runs sampled)
reviver x 244,414 ops/sec ±1.05% (88 runs sampled)
Fastest is JSON.parse
> node no__proto__.js
JSON.parse x 652,190 ops/sec ±0.67% (86 runs sampled)
secure-json-parse x 589,785 ops/sec ±1.01% (88 runs sampled)
reviver x 218,075 ops/sec ±1.58% (87 runs sampled)
Fastest is JSON.parse
> node remove.js
JSON.parse x 683,527 ops/sec ±0.62% (88 runs sampled)
secure-json-parse x 316,926 ops/sec ±0.63% (87 runs sampled)
reviver x 214,167 ops/sec ±0.63% (86 runs sampled)
Fastest is JSON.parse
> node throw.js
JSON.parse x 682,548 ops/sec ±0.60% (88 runs sampled)
JSON.parse error x 170,716 ops/sec ±0.93% (87 runs sampled)
secure-json-parse x 104,483 ops/sec ±0.62% (87 runs sampled)
reviver x 114,197 ops/sec ±0.63% (87 runs sampled)
Fastest is JSON.parse
This project has been forked from hapijs/bourne. All credit before commit 4690682 goes to the hapijs/bourne project contributors. After, the project will be maintained by the Fastify team.
Licensed under BSD-3-Clause.
fast-json-parse is a package that focuses on providing a fast and safe way to parse JSON strings. While it emphasizes performance, it may not offer the same level of security features specifically designed to prevent prototype pollution attacks as secure-json-parse does.
flatted is a package that offers JSON parsing and stringifying with support for circular references. While it addresses a different aspect of JSON handling (circular references), it does not specifically focus on security concerns like prototype pollution, which is the main focus of secure-json-parse.
FAQs
JSON parse with prototype poisoning protection
The npm package secure-json-parse receives a total of 13,762,757 weekly downloads. As such, secure-json-parse popularity was classified as popular.
We found that secure-json-parse demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 11 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and local files.
Security News
pnpm 11 turns on a 1-day Minimum Release Age and blocks exotic subdeps by default, adding safeguards against fast-moving supply chain attacks.
Security News
The remediated findings include organization permission bugs, stale project access after transfers, OIDC replay edge cases, audit logging gaps, and an IDOR in API token deletion.