New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent prototype injection #216
Comments
Using
|
I guess, if we check for |
|
PR in #219 |
Nice work 👍 perhaps it is also a good idea to look into why the version with |
After checking https://hackernoon.com/understand-nodejs-javascript-object-inheritance-proto-prototype-class-9bd951700b29, I guess that if |
PR #262 prevents another instance of this problem, as It would be great if we could merge it and/or address the underlying issue :-) |
It appears fast-json-patch may be vulnerable to prototype injection depending on the way it is used. See e.g. the following code:
This will output 'hacked' twice, while there is no property
x
visible on objectdoc
norotherDoc
when it is printed.This becomes an issue in scenarios where patches cannot be trusted (and are not checked for this). Perhaps it is a good idea to disable patching of
__proto__
(and maybeprototype
as well? I haven't tested that yet) unless enabled by a flag (although I do not really see a use case where you would use JSON patches to fix up a prototype...).The text was updated successfully, but these errors were encountered: