npm
Sign UpSign In

no-object-forgery

1.0.1 • Public • Published

Protecting against Object Forgery

JSON.parse makes it easy to unintentionally turn untrustworthy strings into untrustworthy objects which has led to problems when key pieces of infrastructure are less suspicious of objects than of strings.

This monkeypatches JSON.parse and provides an isParsedObject function that likely identifies objects that were parsed from strings that might come from an untrusted source.

See Protecting against Object Forgery"

Usage

const isParsedObject = require('no-object-forgery');
 
// myJsonString might come from an attacker.
const x = JSON.parse(myJsonString);
 
if (isParsedObject(x)) {
  // Don't treat x as privileged.
}

If you know that a string is trustworthy, you can parse an object that is not recognized as a parsed object.

JSON.parseTrusted(trustworthyJsonString);

This is not an official Google product.

Readme

Keywords

Package Sidebar

Install

npm i no-object-forgery

Repository

github.com/mikesamuel/no-object-forgery

Homepage

github.com/mikesamuel/no-object-forgery#readme

Weekly Downloads

1

Version

1.0.1

License

Apache-2.0

Unpacked Size

16 kB

Total Files

4

Last publish

Collaborators

  • mikesamuel
Try on RunKit
Report malware