Protect from prototype posioning during object coercion

hapipal · Feb 13, 2021 · ab56ebe · ab56ebe
1 parent 1a39334
commit ab56ebe
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 1 deletion.
diff --git a/lib/store.js b/lib/store.js
@@ -3,6 +3,7 @@
 // Load modules
 
 const Hoek = require('@hapi/hoek');
+const Bourne = require('@hapi/bourne');
 const Schema = require('./schema');
 
 // Declare internals
@@ -267,7 +268,7 @@ internals.coerce = function (value, type, options) {
             break;
         case 'object':
             try {
-                result = JSON.parse(value);
+                result = Bourne.parse(value);
             }
             catch (e) {
                 result = undefined;

diff --git a/package.json b/package.json
@@ -12,6 +12,7 @@
   ],
   "dependencies": {
     "@hapi/hoek": "9.x.x",
+    "@hapi/bourne": "2.x.x",
     "alce": "1.x.x",
     "joi": "17.x.x",
     "yargs": "16.x.x"

diff --git a/test/store.js b/test/store.js
@@ -228,6 +228,7 @@ describe('get()', () => {
     get('/coerceObject1', { a: 'b' }, {}, []);
     get('/coerceObject1', { b: 'a' }, { obj: '{"b":"a"}' }, []);
     get('/coerceObject1', { a: 'b' }, { obj: 'BROKEN JSON' }, []);
+    get('/coerceObject1', { a: 'b' }, { obj: '{"b":"a","__proto__":"x"}' }, []);
 
     it('fails on invalid key', () => {