Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(rest): sanitize json for JSON.parse()
- Loading branch information
1 parent
75731f9
commit d7481d4
Showing
5 changed files
with
80 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
// Copyright IBM Corp. 2018. All Rights Reserved. | ||
// Node module: @loopback/rest | ||
// This file is licensed under the MIT License. | ||
// License text available at https://opensource.org/licenses/MIT | ||
|
||
import {expect} from '@loopback/testlab'; | ||
import {parseJson} from '../../json-parse'; | ||
|
||
describe('parseJson', () => { | ||
it('throws for JSON text with __proto__ key', () => { | ||
const text = '{"x": "1", "__proto__": {"y": 2}}'; | ||
expect(() => parseJson(text)).to.throw( | ||
'JSON string cannot contain "__proto__" key.', | ||
); | ||
}); | ||
|
||
it('throws for JSON text with deep __proto__ key', () => { | ||
const text = '{"x": "1", "y": {"__proto__": {"z": 2}}}'; | ||
expect(() => parseJson(text)).to.throw( | ||
'JSON string cannot contain "__proto__" key.', | ||
); | ||
}); | ||
|
||
it('works for JSON text with deep __proto__ value', () => { | ||
const text = '{"x": "1", "y": "__proto__"}'; | ||
expect(parseJson(text)).to.eql(JSON.parse(text)); | ||
}); | ||
|
||
it('supports reviver function', () => { | ||
const text = '{"x": 1, "y": "2"}'; | ||
const obj = parseJson(text, (key, value) => { | ||
if (key === 'y') return parseInt(value); | ||
return value; | ||
}); | ||
expect(obj).to.eql({x: 1, y: 2}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
// Copyright IBM Corp. 2018. All Rights Reserved. | ||
// Node module: @loopback/rest | ||
// This file is licensed under the MIT License. | ||
// License text available at https://opensource.org/licenses/MIT | ||
|
||
//tslint:disable:no-any | ||
|
||
/** | ||
* Factory to create a reviver function for `JSON.parse` to sanitize keys | ||
* @param reviver Reviver function | ||
*/ | ||
export function sanitizeJsonParse(reviver?: (key: any, value: any) => any) { | ||
return (key: string, value: any) => { | ||
if (key === '__proto__') | ||
throw new Error('JSON string cannot contain "__proto__" key.'); | ||
if (reviver) { | ||
return reviver(key, value); | ||
} else { | ||
return value; | ||
} | ||
}; | ||
} | ||
|
||
/** | ||
* See https://hueniverse.com/a-tale-of-prototype-poisoning-2610fa170061 | ||
* @param text JSON string | ||
* @param reviver Optional reviver function for `JSON.parse` | ||
*/ | ||
export function parseJson( | ||
text: string, | ||
reviver?: (key: any, value: any) => any, | ||
) { | ||
return JSON.parse(text, sanitizeJsonParse(reviver)); | ||
} |