Wondering what’s next for npm?Check out our public roadmap! »

    This package has been deprecated

    Author message:

    This module has moved and is now available at @hapi/bourne. Please update your dependencies as this version is no longer maintained an may contain bugs and security issues.

    bourne

    1.1.2 • Public • Published

    Bourne. JSON Bourne.

    JSON.parse() drop-in replacement with prototype poisoning protection

    Introduction

    Consider this:

    > const a = '{"__proto__":{ "b":5}}';
    '{"__proto__":{ "b":5}}'
    
    > const b = JSON.parse(a);
    { __proto__: { b: 5 } }
    
    > b.b;
    undefined
    
    > const c = Object.assign({}, b);
    {}
    
    > c.b
    5
    

    The problem is that JSON.parse() retains the __proto__ property as a plain object key. By itself, this is not a security issue. However, as soon as that object is assigned to another or iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.

    API

    Bourne.parse(text, [reviver], [options])

    Parses a given JSON-formatted text into an object where:

    • text - the JSON text string.
    • reviver - the JSON.parse() optional reviver argument.
    • options - optional configuration object where:
      • protoAction - optional string with one of:
        • 'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.
        • 'remove' - deletes any __proto__ keys from the result object.
        • 'ignore' - skips all validation (same as calling JSON.parse() directly).

    Bourne.scan(obj, [options])

    Scans a given object for prototype properties where:

    • obj - the object being scanned.
    • options - optional configuration object where:
      • protoAction - optional string with one of:
        • 'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.
        • 'remove' - deletes any __proto__ keys from the input obj.

    Install

    npm i bourne

    DownloadsWeekly Downloads

    97,654

    Version

    1.1.2

    License

    BSD-3-Clause

    Unpacked Size

    5.47 kB

    Total Files

    5

    Last publish

    Collaborators

    • avatar