bourne

JSON.parse() drop-in replacement with prototype poisoning protection.

Latest Version: 3.0.0
hapi-family
Installation:

npm: npm install @hapi/bourne

yarn: yarn add @hapi/bourne

Module Status:
Version License Node Dependencies CI
3.0.0
hapi helmet github logo
BSD 16, 18, 20 Dependency Status Build Status
2.1.0
hapi helmet github logo
BSD 16, 18, 20 Dependency Status Build Status

Introduction

Consider this:

> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'

> const b = JSON.parse(a);
{ __proto__: { b: 5 } }

> b.b;
undefined

> const c = Object.assign({}, b);
{}

> c.b
5

The problem is that JSON.parse() retains the __proto__ property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.