GoScrobble/web/node_modules/@hapi/bourne/README.md

55 lines
1.8 KiB
Markdown
Raw Permalink Normal View History

2022-04-25 02:47:15 +00:00
<a href="http://hapijs.com"><img src="https://raw.githubusercontent.com/hapijs/assets/master/images/family.png" width="180px" align="right" /></a>
# Bourne. JSON Bourne.
`JSON.parse()` drop-in replacement with prototype poisoning protection
[![Build Status](https://travis-ci.org/hapijs/bourne.svg)](https://travis-ci.org/hapijs/bourne)
## Introduction
Consider this:
```
> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'
> const b = JSON.parse(a);
{ __proto__: { b: 5 } }
> b.b;
undefined
> const c = Object.assign({}, b);
{}
> c.b
5
```
The problem is that `JSON.parse()` retains the `__proto__` property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the `__proto__` property leaks and becomes the object's prototype.
## API
### `Bourne.parse(text, [reviver], [options])`
Parses a given JSON-formatted text into an object where:
- `text` - the JSON text string.
- `reviver` - the `JSON.parse()` optional `reviver` argument.
- `options` - optional configuration object where:
- `protoAction` - optional string with one of:
- `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value.
- `'remove'` - deletes any `__proto__` keys from the result object.
- `'ignore'` - skips all validation (same as calling `JSON.parse()` directly).
### `Bourne.scan(obj, [options])`
Scans a given object for prototype properties where:
- `obj` - the object being scanned.
- `options` - optional configuration object where:
- `protoAction` - optional string with one of:
- `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value.
- `'remove'` - deletes any `__proto__` keys from the input `obj`.