feat: enhance JSON parsing options to include constructor poisoning handling

Signed-off-by: Sebastian Beltran <[email protected]>

Author: bjohansebas

lib/types/json.js

@@ -56,7 +56,7 @@ function json (options) {
 
   var reviver = options?.reviver
   var strict = options?.strict !== false
-  const protoPoisoning = options?.onProtoPoisoning || 'ignore'
+  const poisoningOptions = { onProtoPoisoning: options?.onProto?.onProtoPoisoning || 'ignore', onConstructorPoisoning: options?.onProto?.onConstructorPoisoning || 'ignore' }
 
   function parse (body) {
     if (body.length === 0) {
@@ -76,7 +76,7 @@ function json (options) {
 
     try {
       debug('parse json')
-      return secureJson.parse(body, reviver, { protoAction: protoPoisoning })
+      return secureJson.parse(body, reviver, { protoAction: poisoningOptions.onProtoPoisoning, constructorAction: poisoningOptions.onConstructorPoisoning })
     } catch (e) {
       throw normalizeJsonSyntaxError(e, {
         message: e.message,

test/json.js

@@ -724,29 +724,55 @@ describe('bodyParser.json()', function () {
 
   describe('prototype poisoning', function () {
     it('should parse __proto__ when protoAction is set to ignore', function (done) {
-      request(createServer({ onProtoPoisoning: 'ignore' }))
+      request(createServer({ onProto: { onProtoPoisoning: 'ignore' }}))
         .post('/')
         .set('Content-Type', 'application/json')
         .send('{"user":"tobi","__proto__":{"x":7}}')
         .expect(200, '{"user":"tobi","__proto__":{"x":7}}', done)
     })
 
     it('should throw when protoAction is set to error', function (done) {
-      request(createServer({ onProtoPoisoning: 'error' }))
+      request(createServer({ onProto: { onProtoPoisoning: 'error' }}))
         .post('/')
         .set('Content-Type', 'application/json')
         .send('{"user":"tobi","__proto__":{"x":7}}')
         .expect(400, '[entity.parse.failed] Object contains forbidden prototype property', done)
     })
 
     it('should remove prototype poisoning when protoAction is set to remove', function (done) {
-      request(createServer({ onProtoPoisoning: 'remove' }))
+      request(createServer({ onProto: { onProtoPoisoning: 'remove' }}))
         .post('/')
         .set('Content-Type', 'application/json')
         .send('{"user":"tobi","__proto__":{"x":7}}')
         .expect(200, '{"user":"tobi"}', done)
     })
   })
+
+  describe('constructor poisoning', function () {
+    it('should parse constructor when protoAction is set to ignore', function (done) {
+      request(createServer({ onProto: { onConstructorPoisoning: 'ignore' }}))
+        .post('/')
+        .set('Content-Type', 'application/json')
+        .send('{"user":"tobi","constructor":{"prototype":{"bar":"baz"}}}')
+        .expect(200, '{"user":"tobi","constructor":{"prototype":{"bar":"baz"}}}', done)
+    })
+
+    it('should throw when protoAction is set to error', function (done) {
+      request(createServer({ onProto: { onConstructorPoisoning: 'error' }}))
+        .post('/')
+        .set('Content-Type', 'application/json')
+        .send('{"user":"tobi","constructor":{"prototype":{"bar":"baz"}}}')
+        .expect(400, '[entity.parse.failed] Object contains forbidden prototype property', done)
+    })
+
+    it('should remove prototype poisoning when protoAction is set to remove', function (done) {
+      request(createServer({ onProto: { onConstructorPoisoning: 'remove' }}))
+        .post('/')
+        .set('Content-Type', 'application/json')
+        .send('{"user":"tobi","constructor":{"prototype":{"bar":"baz"}}}')
+        .expect(200, '{"user":"tobi"}', done)
+    })
+  })
 })
 
 function createServer (opts) {