UNPKG

@loopback/rest

Version:

Expose controllers as REST endpoints and route REST API requests to controller methods

loopbackio/loopback-next

72 lines (66 loc) 2.23 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
// Copyright IBM Corp. and LoopBack contributors 2019. All Rights Reserved. // Node module: @loopback/rest // This file is licensed under the MIT License. // License text available at https://opensource.org/licenses/MIT /* eslint-disable @typescript-eslint/no-explicit-any */ // These utilities are introduced to mitigate the prototype pollution issue // with `JSON.parse`. // See https://hueniverse.com/a-tale-of-prototype-poisoning-2610fa170061 // // The [bourne](https://github.com/hapijs/bourne) module provides a drop-in // replacement for `JSON.parse` but we need to instruct `body-parser` to honor // a `reviver` function. const isMatched = (key: string, pattern: string) => pattern === key || key.indexOf(`${pattern}.`) === 0; /** * Factory to create a reviver function for `JSON.parse` to sanitize keys * @param reviver - Reviver function * @param prohibitedKeys - An array of keys to be rejected */ export function sanitizeJsonParse( reviver?: (key: any, value: any) => any, prohibitedKeys?: string[], ) { return (key: string, value: any) => { if (key === '__proto__') { // Reject `__proto__` throw new Error(`JSON string cannot contain "${key}" key.`); } if ( key === 'constructor' && value != null && Object.keys(value).some(k => isMatched(k, 'prototype')) ) { // Reject `constructor/prototype.*` throw new Error( `JSON string cannot contain "constructor.prototype" key.`, ); } if (prohibitedKeys?.some(pattern => isMatched(key, pattern))) { throw new Error(`JSON string cannot contain "${key}" key.`); } if (reviver) { return reviver(key, value); } else { return value; } }; } /** * Parse a json string that rejects prohibited keys * @param text - JSON string * @param reviver - Optional reviver function for `JSON.parse` * @param prohibitedKeys - An array of keys to be rejected */ export function parseJson( text: string, reviver?: (key: any, value: any) => any, prohibitedKeys?: string[], ) { prohibitedKeys = [ '__proto__', 'constructor.prototype', ...(prohibitedKeys ?? []), ]; return JSON.parse(text, sanitizeJsonParse(reviver, prohibitedKeys)); }