Package Exports

@hapi/bourne

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@hapi/bourne) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Bourne. JSON Bourne.

JSON.parse() drop-in replacement with prototype poisoning protection

Introduction

Consider this:

> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'

> const b = JSON.parse(a);
{ __proto__: { b: 5 } }

> b.b;
undefined

> const c = Object.assign({}, b);
{}

> c.b
5

The problem is that JSON.parse() retains the __proto__ property as a plain object key. By itself, this is not a security issue. However, as soon as that object is assigned to another or iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.

API

`Bourne.parse(text, [reviver], [options])`

Parses a given JSON-formatted text into an object where:

text - the JSON text string.
reviver - the JSON.parse() optional reviver argument.
options - optional configuration object where:
- protoAction - optional string with one of:
  - 'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.
  - 'remove' - deletes any __proto__ keys from the result object.
  - 'ignore' - skips all validation (same as calling JSON.parse() directly).

`Bourne.scan(obj, [options])`

Scans a given object for prototype properties where:

obj - the object being scanned.
options - optional configuration object where:
- protoAction - optional string with one of:
  - 'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.
  - 'remove' - deletes any __proto__ keys from the input obj.