npm
Sign UpSign In

no-object-forgery

1.0.1 • Public • Published

Protecting against Object Forgery

JSON.parse makes it easy to unintentionally turn untrustworthy strings into untrustworthy objects which has led to problems when key pieces of infrastructure are less suspicious of objects than of strings.

This monkeypatches JSON.parse and provides an isParsedObject function that likely identifies objects that were parsed from strings that might come from an untrusted source.

See Protecting against Object Forgery"

Usage

const isParsedObject = require('no-object-forgery');
 
// myJsonString might come from an attacker.
const x = JSON.parse(myJsonString);
 
if (isParsedObject(x)) {
  // Don't treat x as privileged.
}

If you know that a string is trustworthy, you can parse an object that is not recognized as a parsed object.

JSON.parseTrusted(trustworthyJsonString);

This is not an official Google product.

Dependencies (0)

    Dev Dependencies (8)

    Package Sidebar

    Install

    npm i no-object-forgery

    Repository

    github.com/mikesamuel/no-object-forgery

    Homepage

    github.com/mikesamuel/no-object-forgery#readme

    Weekly Downloads

    1

    Version

    1.0.1

    License

    Apache-2.0

    Unpacked Size

    16 kB

    Total Files

    4

    Last publish

    Collaborators

    • mikesamuel
    Try on RunKit
    Report malware