bourne

JSON.parse() drop-in replacement with prototype poisoning protection.

Latest Version: 2.0.0
hapi-family
Installation:

npm: npm install @hapi/bourne

yarn: yarn add @hapi/bourne

Module Status:
Version License Node Dependencies Travis End of Life
2.0.0
hapi helmet github logo
BSD 12, 14 Dependency Status Build Status

Introduction

Consider this:

> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'

> const b = JSON.parse(a);
{ __proto__: { b: 5 } }

> b.b;
undefined

> const c = Object.assign({}, b);
{}

> c.b
5

The problem is that JSON.parse() retains the __proto__ property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.