secure-json-parse - npm Package Compare versions

Comparing version 1.0.0 to 2.0.0

index.js

		'use strict'

		const suspectRx = /"(?:_\|\\u005[Ff])(?:_\|\\u005[Ff])(?:p\|\\u0070)(?:r\|\\u0072)(?:o\|\\u006[Ff])(?:t\|\\u0074)(?:o\|\\u006[Ff])(?:_\|\\u005[Ff])(?:_\|\\u005[Ff])"\s*:/
		const suspectProtoRx = /"(?:_\|\\u005[Ff])(?:_\|\\u005[Ff])(?:p\|\\u0070)(?:r\|\\u0072)(?:o\|\\u006[Ff])(?:t\|\\u0074)(?:o\|\\u006[Ff])(?:_\|\\u005[Ff])(?:_\|\\u005[Ff])"\s*:/
		const suspectConstructorRx = /"(?:c\|\\u0063)(?:o\|\\u006[Ff])(?:n\|\\u006[Ee])(?:s\|\\u0073)(?:t\|\\u0074)(?:r\|\\u0072)(?:u\|\\u0075)(?:c\|\\u0063)(?:t\|\\u0074)(?:o\|\\u006[Ff])(?:r\|\\u0072)"\s*:/

		@@ -8,3 +9,3 @@ function parse (text, reviver, options) {
		if (options == null) {
		if (reviver != null && typeof reviver === 'object') {
		if (reviver !== null && typeof reviver === 'object') {
		options = reviver
		@@ -17,7 +18,10 @@ reviver = undefined

		const protoAction = options.protoAction \|\| 'error'
		const constructorAction = options.constructorAction \|\| 'error'

		// Parse normally, allowing exceptions
		const obj = JSON.parse(text, reviver)

		// options.protoAction: 'error' (default) / 'remove' / 'ignore'
		if (options.protoAction === 'ignore') {
		// options: 'error' (default) / 'remove' / 'ignore'
		if (protoAction === 'ignore' && constructorAction === 'ignore') {
		return obj
		@@ -27,13 +31,22 @@ }
		// Ignore null and non-objects
		if (!obj \|\| typeof obj !== 'object') {
		if (obj === null \|\| typeof obj !== 'object') {
		return obj
		}

		// Check original string for potential exploit
		if (!text.match(suspectRx)) {
		return obj
		if (protoAction !== 'ignore' && constructorAction !== 'ignore') {
		if (suspectProtoRx.test(text) === false && suspectConstructorRx.test(text) === false) {
		return obj
		}
		} else if (protoAction !== 'ignore' && constructorAction === 'ignore') {
		if (suspectProtoRx.test(text) === false) {
		return obj
		}
		} else {
		if (suspectConstructorRx.test(text) === false) {
		return obj
		}
		}

		// Scan result for proto keys
		scan(obj, options)
		scan(obj, { protoAction, constructorAction })

		@@ -43,7 +56,5 @@ return obj

		function scan (obj, options) {
		options = options \|\| {}
		function scan (obj, { protoAction = 'error', constructorAction = 'error' } = {}) {
		let next = [obj]

		var next = [obj]

		while (next.length) {
		@@ -54,10 +65,18 @@ const nodes = next
		for (const node of nodes) {
		if (Object.prototype.hasOwnProperty.call(node, '__proto__')) { // Avoid calling node.hasOwnProperty directly
		if (options.protoAction !== 'remove') {
		if (protoAction !== 'ignore' && Object.prototype.hasOwnProperty.call(node, '__proto__')) { // Avoid calling node.hasOwnProperty directly
		if (protoAction === 'error') {
		throw new SyntaxError('Object contains forbidden prototype property')
		}

		delete node.__proto__ // eslint-disable-line
		delete node.__proto__ // eslint-disable-line no-proto
		}

		if (constructorAction !== 'ignore' && Object.prototype.hasOwnProperty.call(node, 'constructor')) { // Avoid calling node.hasOwnProperty directly
		if (constructorAction === 'error') {
		throw new SyntaxError('Object contains forbidden prototype property')
		}

		delete node.constructor
		}

		for (const key in node) {
		@@ -64,0 +83,0 @@ const value = node[key]

package.json

		{
		"name": "secure-json-parse",
		"version": "1.0.0",
		"version": "2.0.0",
		"description": "JSON parse with prototype poisoning protection",
		"main": "index.js",
		"scripts": {
		"test": "tap test.js"
		"test": "standard && tap test.js"
		},
		@@ -13,3 +13,10 @@ "repository": {
		},
		"keywords": [],
		"keywords": [
		"JSON",
		"parse",
		"safe",
		"security",
		"prototype",
		"pollution"
		],
		"license": "BSD-3-Clause",
		@@ -20,7 +27,6 @@ "bugs": {
		"homepage": "https://github.com/fastify/secure-json-parse#readme",
		"dependencies": {},
		"devDependencies": {
		"standard": "^12.0.1",
		"standard": "^14.3.1",
		"tap": "^12.7.0"
		}
		}

README.md

		@@ -11,3 +11,3 @@ # secure-json-parse

		```
		```js
		> const a = '{"__proto__":{ "b":5}}';
		@@ -33,5 +33,25 @@ '{"__proto__":{ "b":5}}'

		## Install
		```
		npm install secure-json-parse
		```

		## Usage

		Pass the option object as a second (or third) parameter for configuring the action to take in case of a bad JSON, if nothing is configured, the default is to throw a `SyntaxError`.<br/>
		You can choose which action to perform in case `__proto__` is present, and in case `constructor` is present.

		```js
		const sjson = require('secure-json-parse')

		const goodJson = '{ "a": 5, "b": 6 }'
		const badJson = '{ "a": 5, "b": 6, "__proto__": { "x": 7 }, "constructor": {"prototype": {"bar": "baz"} } }'

		console.log(JSON.parse(goodJson), sjson.parse(goodJson, { protoAction: 'remove', constructorAction: 'remove' }))
		console.log(JSON.parse(badJson), sjson.parse(badJson, { protoAction: 'remove', constructorAction: 'remove' }))
		```

		## API

		### `Bourne.parse(text, [reviver], [options])`
		### `sjson.parse(text, [reviver], [options])`

		@@ -46,4 +66,8 @@ Parses a given JSON-formatted text into an object where:
		- `'ignore'` - skips all validation (same as calling `JSON.parse()` directly).
		- `constructorAction` - optional string with one of:
		- `'error'` - throw a `SyntaxError` when a `constructor` key is found. This is the default value.
		- `'remove'` - deletes any `constructor` keys from the result object.
		- `'ignore'` - skips all validation (same as calling `JSON.parse()` directly).

		### `Bourne.scan(obj, [options])`
		### `sjson.scan(obj, [options])`

		@@ -56,2 +80,5 @@ Scans a given object for prototype properties where:
		- `'remove'` - deletes any `__proto__` keys from the input `obj`.
		- `constructorAction` - optional string with one of:
		- `'error'` - throw a `SyntaxError` when a `constructor` key is found. This is the default value.
		- `'remove'` - deletes any `constructor` keys from the input `obj`.

		@@ -58,0 +85,0 @@ # Acknowledgements

secure-json-parse - npm Package Compare versions

Improved metrics