Serialize a object including it's function into a JSON.
This module provides a way to unserialize strings into executable JavaScript code, so that it may lead security vulnerabilities if the original strings can be modified by untrusted third-parties (aka hackers). For instance, the following attack example provided by ajinabraham shows how to achieve arbitrary code injection with an IIFE:
var serialize = require('node-serialize');
var x = '{"rce":"_$$ND_FUNC$$_function (){console.log(\'exploited\')}()"}'
serialize.unserialize(x);
To avoid the security issues, at least one of the following methods should be taken:
-
Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.
-
Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.
npm install node-serialize
var serialize = require('node-serialize');
Serialize an object including it's function:
var obj = {
name: 'Bob',
say: function() {
return 'hi ' + this.name;
}
};
var objS = serialize.serialize(obj);
typeof objS === 'string';
serialize.unserialize(objS).say() === 'hi Bob';
Serialize an object with a sub object:
var objWithSubObj = {
obj: {
name: 'Jeff',
say: function() {
return 'hi ' + this.name;
}
}
};
var objWithSubObjS = serialize.serialize(objWithSubObj);
typeof objWithSubObjS === 'string';
serialize.unserialize(objWithSubObjS).obj.say() === 'hi Jeff';
Serialize a circular object:
var objCircular = {};
objCircular.self = objCircular;
var objCircularS = serialize.serialize(objCircular);
typeof objCircularS === 'string';
typeof serialize.unserialize(objCircularS).self.self.self.self === 'object';