Node.js — Securely Parse JSON

Node.js provides a global JSON object providing methods to parse a JSON string to JavaScript or stringify JavaScript values to a JSON string.

The problem is that JavaScript’s global JSON object comes with a flaw allowing prototype pollution attacks. This tutorials shows you how to securely parse JSON with prototype pollution protection.

Node.js Series Overview

  1. String Replace All Appearances
  2. Remove All Whitespace From a String in JavaScript
  3. Generate a Random ID or String in Node.js or JavaScript
  4. Remove Extra Spaces From a String in JavaScript or Node.js
  5. Remove Numbers From a String in JavaScript or Node.js
  6. Get the Part Before a Character in a String in JavaScript or Node.js
  7. Get the Part After a Character in a String in JavaScript or Node.js
  8. How to Check if a Value is a String in JavaScript or Node.js
  9. Check If a String Includes All Strings in JavaScript/Node.js/TypeScript
  10. Check if a Value is a String in JavaScript and Node.js
  11. Limit and Truncate a String to a Given Length in JavaScript and Node.js
  12. Split a String into a List of Characters in JavaScript and Node.js
  13. How to Generage a UUID in Node.js
  14. Reverse a String in JavaScript or Node.js
  15. Split a String into a List of Lines in JavaScript or Node.js
  16. Split a String into a List of Words in JavaScript or Node.js
  17. Detect if a String is in camelCase Format in Javascript or Node.js
  18. Check If a String Is in Lowercase in JavaScript or Node.js
  19. Check If a String is in Uppercase in JavaScript or Node.js
  20. Get the Part After First Occurrence in a String in JavaScript or Node.js
  21. Get the Part Before First Occurrence in a String in JavaScript or Node.js
  22. Get the Part Before Last Occurrence in a String in JavaScript or Node.js
  23. Get the Part After Last Occurrence in a String in JavaScript or Node.js
  24. How to Count Words in a File
  25. How to Shuffle the Characters of a String in JavaScript or Node.js
  26. Append Characters or Words to a String in JavaScript or Node.js (Coming soon)
  27. Check if a String is Empty in JavaScript or Node.js (Coming soon)
  28. Ensure a String Ends with a Given Character in JavaScript or Node.js (Coming soon)
  29. Left-Trim Characters Off a String in JavaScript or Node.js (Coming soon)
  30. Right-Trim Characters Off a String in JavaScript or Node.js (Coming soon)
  31. Lowercase the First Character of a String in JavaScript or Node.js (Coming soon)
  32. Uppercase the First Character of a String in JavaScript or Node.js (Coming soon)
  33. Prepend Characters or Words to a String in JavaScript or Node.js (Coming soon)
  1. Get Number of Seconds Since Epoch in JavaScript
  2. Get Tomorrow’s Date in JavaScript
  3. Increase a Date in JavaScript by One Week
  4. Add Seconds to a Date in Node.js and JavaScript
  5. Add Month(s) to a Date in JavaScript or Node.js
  6. Add Week(s) to a Date in JavaScript or Node.js
  7. Get the Current Year in JavaScript or Node.js
  8. How to Get a UNIX Timestamp in JavaScript or Node.js
  9. How to Convert a UNIX Timestamp to a Date in JavaScript or Node.js
  10. Add Days to a Date in JavaScript or Node.js
  11. Get Yesterday's Date in JavaScript or Node.js
  12. Add Minutes to a Date in JavaScript or Node.js (Coming soon)
  13. Add Hours to a Date in JavaScript or Node.js (Coming soon)
  14. Check If a Date Is Today in JavaScript or Node.js (Coming soon)
  15. Check If a Date is Tomorrow in JavaScript or Node.js (Coming soon)
  16. Check If a Date is Yesterday in JavaScript or Node.js (Coming soon)
  17. How to Format a Date YYYY-MM-DD in JavaScript or Node.js (Coming soon)

Prototype Pollution in a Nutshell

Consider the following code snippet illustrating the prototype pollution:

const json = '{"name":"Supercharge", "__proto__": { "x": 1 }}'

const a = JSON.parse(json)  
// { name: 'Supercharge' }

console.log(a.x)  
// undefined

const b = Object.assign({}, a)  
console.log(b.x)  
// 1

JSON.parse keeps the __proto__ property as a key on the parsed object. This becomes a problem when assigning that object to another object or copying values to another object. Then, the __proto__ property becomes the prototype of the new object.

Secure JSON.parse

That’s why we developed the @supercharge/json package to securely parse JSON strings. The @supercharge/json removes constructor and __proto__ keys when parsing objects.

Using @supercharge/json with the example from above keeps your code secure by removing injected prototype properties:

const JSON = require('@supercharge/json')

const json = '{"name":"Supercharge", "__proto__": { "x": 1 }}'

const a = JSON.parse(json)  
// { name: 'Supercharge' }

console.log(a.x)  
// undefined

const b = Object.assign({}, a)

console.log(b.x)  
// undefined    👈

That’s it!


Mentioned Resources

Explore the Library

Find interesting tutorials and solutions for your problems.