fix(rest): sanitize json for JSON.parse()

Author: raymondfeng

packages/rest/src/__tests__/unit/body-parser.unit.ts

@@ -186,6 +186,24 @@ describe('body parser', () => {
     });
   });
 
+  it('reports error for json payload with "__proto__" key', () => {
+    const req = givenRequest({
+      url: '/',
+      payload: '{"x": 1, "__proto__": {"y": "2"}}',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+    });
+
+    const spec = givenOperationWithRequestBody({
+      description: 'data',
+      content: {},
+    });
+    return expect(
+      requestBodyParser.loadRequestBodyIfNeeded(spec, req),
+    ).to.be.rejectedWith('JSON string cannot contain "__proto__" key.');
+  });
+
   it('sorts body parsers', () => {
     const options: RequestBodyParserOptions = {};
     const bodyParser = new RequestBodyParser([

packages/rest/src/__tests__/unit/parse-json.unit.ts

@@ -0,0 +1,37 @@
+// Copyright IBM Corp. 2018. All Rights Reserved.
+// Node module: @loopback/rest
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+import {expect} from '@loopback/testlab';
+import {parseJson} from '../../parse-json';
+
+describe('parseJson', () => {
+  it('throws for JSON text with __proto__ key', () => {
+    const text = '{"x": "1", "__proto__": {"y": 2}}';
+    expect(() => parseJson(text)).to.throw(
+      'JSON string cannot contain "__proto__" key.',
+    );
+  });
+
+  it('throws for JSON text with deep __proto__ key', () => {
+    const text = '{"x": "1", "y": {"__proto__": {"z": 2}}}';
+    expect(() => parseJson(text)).to.throw(
+      'JSON string cannot contain "__proto__" key.',
+    );
+  });
+
+  it('works for JSON text with deep __proto__ value', () => {
+    const text = '{"x": "1", "y": "__proto__"}';
+    expect(parseJson(text)).to.eql(JSON.parse(text));
+  });
+
+  it('supports reviver function', () => {
+    const text = '{"x": 1, "y": "2"}';
+    const obj = parseJson(text, (key, value) => {
+      if (key === 'y') return parseInt(value);
+      return value;
+    });
+    expect(obj).to.eql({x: 1, y: 2});
+  });
+});

packages/rest/src/body-parsers/body-parser.json.ts

@@ -15,6 +15,7 @@ import {
   builtinParsers,
 } from './body-parser.helpers';
 import {BodyParser, RequestBody} from './types';
+import {sanitizeJsonParse} from '../parse-json';
 
 export class JsonBodyParser implements BodyParser {
   name = builtinParsers.json;
@@ -25,6 +26,7 @@ export class JsonBodyParser implements BodyParser {
     options: RequestBodyParserOptions = {},
   ) {
     const jsonOptions = getParserOptions('json', options);
+    jsonOptions.reviver = sanitizeJsonParse(jsonOptions.reviver);
     this.jsonParser = json(jsonOptions);
   }
 

packages/rest/src/coercion/coerce-parameter.ts

@@ -3,20 +3,21 @@
 // This file is licensed under the MIT License.
 // License text available at https://opensource.org/licenses/MIT
 
-import {ParameterObject, isReferenceObject} from '@loopback/openapi-v3-types';
-import {Validator} from './validator';
+import {isReferenceObject, ParameterObject} from '@loopback/openapi-v3-types';
 import * as debugModule from 'debug';
 import {RestHttpErrors} from '../';
+import {parseJson} from '../parse-json';
 import {
+  DateCoercionOptions,
   getOAIPrimitiveType,
+  IntegerCoercionOptions,
   isEmpty,
   isFalse,
   isTrue,
   isValidDateTime,
   matchDateFormat,
-  DateCoercionOptions,
-  IntegerCoercionOptions,
 } from './utils';
+import {Validator} from './validator';
 const isRFC3339 = require('validator/lib/isRFC3339');
 const debug = debugModule('loopback:rest:coercion');
 
@@ -185,7 +186,7 @@ function parseJsonIfNeeded(
   }
 
   try {
-    const result = JSON.parse(data);
+    const result = parseJson(data);
     debug('Parsed parameter %s as %j', spec.name, result);
     return result;
   } catch (err) {

packages/rest/src/index.ts

@@ -19,6 +19,7 @@ export * from './rest.component';
 export * from './rest.server';
 export * from './sequence';
 export * from './rest-http-error';
+export * from './parse-json';
 
 // export all errors from external http-errors package
 import * as HttpErrors from 'http-errors';

packages/rest/src/parse-json.ts

@@ -0,0 +1,42 @@
+// Copyright IBM Corp. 2018. All Rights Reserved.
+// Node module: @loopback/rest
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+//tslint:disable:no-any
+
+// These utilities are introduced to mitigate the prototype pollution issue
+// with `JSON.parse`.
+// See https://hueniverse.com/a-tale-of-prototype-poisoning-2610fa170061
+//
+// The [bourne](https://github.com/hapijs/bourne) module provides a drop-in
+// replacement for `JSON.parse` but we need to instruct `body-parser` to honor
+// a `reviver` function.
+
+/**
+ * Factory to create a reviver function for `JSON.parse` to sanitize keys
+ * @param reviver Reviver function
+ */
+export function sanitizeJsonParse(reviver?: (key: any, value: any) => any) {
+  return (key: string, value: any) => {
+    if (key === '__proto__')
+      throw new Error('JSON string cannot contain "__proto__" key.');
+    if (reviver) {
+      return reviver(key, value);
+    } else {
+      return value;
+    }
+  };
+}
+
+/**
+ *
+ * @param text JSON string
+ * @param reviver Optional reviver function for `JSON.parse`
+ */
+export function parseJson(
+  text: string,
+  reviver?: (key: any, value: any) => any,
+) {
+  return JSON.parse(text, sanitizeJsonParse(reviver));
+}