JSON.parse() drop-in replacement with prototype poisoning protection.
| Version | License | Node | Dependencies | CI |
|---|---|---|---|---|
| BSD | 16, 18, 20, 22 | Dependency Status | Build Status | |
| BSD | 16, 18, 20, 22 | Dependency Status | Build Status |
Consider this:
> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'> const b = JSON.parse(a);
{ __proto__: { b: 5 } }> b.b;
undefined> const c = Object.assign({}, b);
{}> c.b
5
The problem is that JSON.parse() retains the __proto__ property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.