Node.js — Securely Parse JSON

Node.js provides a global JSON object providing methods to parse a JSON string to JavaScript or stringify JavaScript values to a JSON string.

The problem is that JavaScript’s global JSON object comes with a flaw allowing prototype pollution attacks. This tutorials shows you how to securely parse JSON with prototype pollution protection.

Node.js Series Overview

  1. String Replace All Appearances
  2. Remove All Whitespace From a String in JavaScript
  3. Generate a Random ID or String in Node.js or JavaScript
  4. Remove Extra Spaces From a String in JavaScript or Node.js
  5. Remove Numbers From a String in JavaScript or Node.js
  6. Get the Part Before a Character in a String in JavaScript or Node.js
  7. Get the Part After a Character in a String in JavaScript or Node.js
  8. How to Check if a Value is a String in JavaScript or Node.js
  9. Check If a String Includes All Strings in JavaScript/Node.js/TypeScript
  10. Check if a Value is a String in JavaScript and Node.js
  11. Limit and Truncate a String to a Given Length in JavaScript and Node.js
  12. Split a String into a List of Characters in JavaScript and Node.js
  13. How to Generage a UUID in Node.js
  14. Reverse a String in JavaScript or Node.js
  15. Split a String into a List of Lines in JavaScript or Node.js
  16. Split a String into a List of Words in JavaScript or Node.js
  17. Detect if a String is in camelCase Format in Javascript or Node.js
  18. Check If a String Is in Lowercase in JavaScript or Node.js
  19. Check If a String is in Uppercase in JavaScript or Node.js
  20. Get the Part After First Occurrence in a String in JavaScript or Node.js
  21. Get the Part Before First Occurrence in a String in JavaScript or Node.js
  22. Get the Part Before Last Occurrence in a String in JavaScript or Node.js
  23. Get the Part After Last Occurrence in a String in JavaScript or Node.js
  24. How to Count Words in a File
  25. How to Shuffle the Characters of a String in JavaScript or Node.js
  26. Append Characters or Words to a String in JavaScript or Node.js
  27. Check if a String is Empty in JavaScript or Node.js
  28. Ensure a String Ends with a Given Character in JavaScript or Node.js
  29. Left-Trim Characters Off a String in JavaScript or Node.js
  30. Right-Trim Characters Off a String in JavaScript or Node.js
  31. Lowercase the First Character of a String in JavaScript or Node.js
  32. Uppercase the First Character of a String in JavaScript or Node.js
  33. Prepend Characters or Words to a String in JavaScript or Node.js
  34. Check if a String is a Number
  35. Convert a String to Buffer
  36. Prevent Line Breaks in String Template Literals
  37. How to Implement a Custom `toString` Method
  38. What Is `Symbol.toStringTag` and How to Use It (Coming soon)

Prototype Pollution in a Nutshell

Consider the following code snippet illustrating the prototype pollution:

const json = '{"name":"Supercharge", "__proto__": { "x": 1 }}'

const a = JSON.parse(json)  
// { name: 'Supercharge' }

console.log(a.x)  
// undefined

const b = Object.assign({}, a)  
console.log(b.x)  
// 1

JSON.parse keeps the __proto__ property as a key on the parsed object. This becomes a problem when assigning that object to another object or copying values to another object. Then, the __proto__ property becomes the prototype of the new object.

Secure JSON.parse

That’s why we developed the @supercharge/json package to securely parse JSON strings. The @supercharge/json removes constructor and __proto__ keys when parsing objects.

Using @supercharge/json with the example from above keeps your code secure by removing injected prototype properties:

const JSON = require('@supercharge/json')

const json = '{"name":"Supercharge", "__proto__": { "x": 1 }}'

const a = JSON.parse(json)  
// { name: 'Supercharge' }

console.log(a.x)  
// undefined

const b = Object.assign({}, a)

console.log(b.x)  
// undefined    👈

That’s it!


Mentioned Resources

Explore the Library

Find interesting tutorials and solutions for your problems.