Merge pull request #534 from streamich/json-pack-proto-fix

Do not decode `__proto__` object keys
streamich · Mar 5, 2024 · 1d3b3e9 · 1d3b3e9
2 parents 035f86a + 11bae69
commit 1d3b3e9
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 0 deletions.
diff --git a/src/json-pack/msgpack/MsgPackDecoderFast.ts b/src/json-pack/msgpack/MsgPackDecoderFast.ts
@@ -1,5 +1,6 @@
 import {JsonPackExtension} from '../JsonPackExtension';
 import {Reader} from '../../util/buffers/Reader';
+import {ERROR} from '../cbor/constants';
 import sharedCachedUtf8Decoder from '../../util/buffers/utf8/sharedCachedUtf8Decoder';
 import type {BinaryJsonDecoder, PackValue} from '../types';
 import type {CachedUtf8Decoder} from '../../util/buffers/utf8/CachedUtf8Decoder';
@@ -121,6 +122,7 @@ export class MsgPackDecoderFast<R extends Reader> implements BinaryJsonDecoder {
     const obj: Record<string, unknown> = {};
     for (let i = 0; i < size; i++) {
       const key = this.key();
+      if (key === '__proto__') throw ERROR.UNEXPECTED_OBJ_KEY;
       obj[key] = this.val();
     }
     return obj;

diff --git a/src/json-pack/msgpack/__tests__/MsgPackDecoderFast.spec.ts b/src/json-pack/msgpack/__tests__/MsgPackDecoderFast.spec.ts
@@ -1,3 +1,4 @@
+import {NullObject} from '../../../util/NullObject';
 import {MsgPackDecoderFast} from '../MsgPackDecoderFast';
 import {MsgPackEncoderFast} from '../MsgPackEncoderFast';
 
@@ -289,4 +290,12 @@ describe('object', () => {
     const res = decode(buf, 0);
     expect(res).toEqual(obj);
   });
+
+  test('throws on __proto__ key', () => {
+    const obj = new NullObject();
+    // tslint:disable-next-line: no-string-literal
+    obj['__proto__'] = 123;
+    const buf = encode(obj);
+    expect(() => decode(buf, 0)).toThrow();
+  });
 });
diff --git a/src/json-pack/ubjson/UbjsonDecoder.ts b/src/json-pack/ubjson/UbjsonDecoder.ts
@@ -1,5 +1,6 @@
 import {Reader} from '../../util/buffers/Reader';
 import {JsonPackExtension} from '../JsonPackExtension';
+import {ERROR} from '../cbor/constants';
 import type {BinaryJsonDecoder, PackValue} from '../types';
 
 export class UbjsonDecoder implements BinaryJsonDecoder {
@@ -104,6 +105,7 @@ export class UbjsonDecoder implements BinaryJsonDecoder {
         while (uint8[reader.x] !== 0x7d) {
           const keySize = +(this.readAny() as number);
           const key = reader.utf8(keySize);
+          if (key === '__proto__') throw ERROR.UNEXPECTED_OBJ_KEY;
           obj[key] = this.readAny();
         }
         reader.x++;

diff --git a/src/json-pack/ubjson/__tests__/UbjsonDecoder.spec.ts b/src/json-pack/ubjson/__tests__/UbjsonDecoder.spec.ts
@@ -3,6 +3,7 @@ import {Writer} from '../../../util/buffers/Writer';
 import {PackValue} from '../../types';
 import {UbjsonEncoder} from '../UbjsonEncoder';
 import {UbjsonDecoder} from '../UbjsonDecoder';
+import {NullObject} from '../../../util/NullObject';
 
 const encoder = new UbjsonEncoder(new Writer(8));
 const decoder = new UbjsonDecoder();
@@ -158,6 +159,14 @@ describe('object', () => {
       obj2: {1: 2, 3: 4},
     });
   });
+
+  test('throws on __proto__ key', () => {
+    const obj = new NullObject();
+    // tslint:disable-next-line: no-string-literal
+    obj['__proto__'] = 123;
+    const buf = encoder.encode(obj);
+    expect(() => decoder.read(buf)).toThrow();
+  });
 });
 
 describe('nested object', () => {