Skip to content

mikesamuel/no-object-forgery

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits

scripts

scripts

 
 

test

test

 
 

.coveralls.yml

.coveralls.yml

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

index.js

index.js

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

Repository files navigation

Protecting against Object Forgery

JSON.parse makes it easy to unintentionally turn untrustworthy strings into untrustworthy objects which has led to problems when key pieces of infrastructure are less suspicious of objects than of strings.

This monkeypatches JSON.parse and provides an isParsedObject function that likely identifies objects that were parsed from strings that might come from an untrusted source.

See Protecting against Object Forgery"

Build Status Dependencies Status npm Coverage Status Known Vulnerabilities

Usage

const isParsedObject = require('no-object-forgery');

// myJsonString might come from an attacker.
const x = JSON.parse(myJsonString);

if (isParsedObject(x)) {
  // Don't treat x as privileged.
}

If you know that a string is trustworthy, you can parse an object that is not recognized as a parsed object.

JSON.parseTrusted(trustworthyJsonString);

This is not an official Google product.

About

Hooks JSON to mitigate object forgery attacks

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages