secure-json-parse
Parse JSON while blocking prototype-poisoning keys.
This crate parses untrusted JSON into a serde_json::Value and detects two key
patterns that pollute a JavaScript object's prototype once the value is copied,
merged, or iterated:
- a key literally named
__proto__ - a key named
constructorwhose value is an object containing aprototypekey (aconstructor.prototypenesting)
For each pattern you pick an action: error, remove, or ignore. A safe flag
turns any detected violation into Ok(None) instead of an error.
Installation
[]
= "0.1"
Usage
use ;
// Default options error on a forbidden key.
let err = parse;
assert!;
// Remove the key instead.
let opts = default.proto_action;
let value = parse
.unwrap
.unwrap;
assert_eq!;
Safe parsing
safe_parse folds every outcome into one three-valued result:
use ;
assert!;
assert!;
assert!;
Value means a clean parse, Violation means a forbidden key was found, and
Malformed means the JSON text was invalid.
Scanning a parsed value
scan runs the same checks on a value you already hold, with no JSON parsing:
use ;
use json;
let opts = default.constructor_action;
let cleaned = scan
.unwrap
.unwrap;
assert_eq!;
Options
| Field | Values | Default |
|---|---|---|
proto_action |
Error, Remove, Ignore |
Error |
constructor_action |
Error, Remove, Ignore |
Error |
safe |
true, false |
false |
A constructor key counts as a violation only when its value is an object that
holds a prototype key. A null, array, string, number, or bool value for
constructor is kept. So is a constructor object with no prototype child.
Scalars and null skip scanning. Objects and arrays are walked, including
arrays nested anywhere in the tree.
Byte input
parse_bytes and safe_parse_bytes take &[u8]. A leading UTF-8 byte order
mark (EF BB BF) is stripped before parsing. The text path strips a leading
U+FEFF for the same reason.
License
Licensed under the MIT license.