/ stream.nieuweinstituut.nl / node_modules / @hapi / bourne / / stream.nieuweinstituut.nl / node_modules / @hapi / bourne /![[ICO]](/icons/blank.gif){kind=icon} | Name | Last modified | Size | Description |
|---|---|---|---|---|
![[PARENTDIR]](/icons/back.gif){kind=icon} | Parent Directory | - | ||
![[DIR]](/icons/folder.gif){kind=icon} | lib/ | 2 years ago | - | |
![[TXT]](/icons/text.gif){kind=icon} | LICENSE.md | 40 years ago | 1.4K | |
| README.md | 40 years ago | 1.8K | d768d73 docs [كارل مبارك] |
![[ ]](/icons/unknown.gif){kind=icon} | package.json | 2 years ago | 1.5K | 3e510ca test new git [كارل مبارك] |
JSON.parse() drop-in replacement with prototype poisoning protection
Consider this:
> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'
> const b = JSON.parse(a);
{ __proto__: { b: 5 } }
> b.b;
undefined
> const c = Object.assign({}, b);
{}
> c.b
5The problem is that JSON.parse() retains the __proto__ property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.
Bourne.parse(text, [reviver], [options])Parses a given JSON-formatted text into an object where:
text - the JSON text string.reviver - the JSON.parse() optional reviver argument.options - optional configuration object where:protoAction - optional string with one of:'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.'remove' - deletes any __proto__ keys from the result object.'ignore' - skips all validation (same as calling JSON.parse() directly).Bourne.scan(obj, [options])Scans a given object for prototype properties where:
obj - the object being scanned.options - optional configuration object where:protoAction - optional string with one of:'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.'remove' - deletes any __proto__ keys from the input obj.