[Backport 8.16] Respect disablePrototypePoisoningProtection option (#2395)

github-actions[bot] · JoshMock · web-flow · commit 586c42161d04 · 2024-10-22T15:03:23.000-05:00
Co-authored-by: Josh Mock &lt;joshua.mock@elastic.co&gt;
diff --git a/docs/basic-config.asciidoc b/docs/basic-config.asciidoc
@@ -252,8 +252,8 @@ const client = new Client({
 ----
 
 |`disablePrototypePoisoningProtection`
-|`boolean`, `'proto'`, `'constructor'` - By the default the client will protect you against prototype poisoning attacks. Read https://web.archive.org/web/20200319091159/https://hueniverse.com/square-brackets-are-the-enemy-ff5b9fd8a3e8?gi=184a27ee2a08[this article] to learn more. If needed you can disable prototype poisoning protection entirely or one of the two checks. Read the `secure-json-parse` https://github.com/fastify/secure-json-parse[documentation] to learn more. +
-_Default:_ `false`
+|`boolean`, `'proto'`, `'constructor'` - The client can protect you against prototype poisoning attacks. Read https://web.archive.org/web/20200319091159/https://hueniverse.com/square-brackets-are-the-enemy-ff5b9fd8a3e8?gi=184a27ee2a08[this article] to learn more about this security concern. If needed, you can enable prototype poisoning protection entirely (`false`) or one of the two checks (`'proto'` or `'constructor'`). For performance reasons, it is disabled by default. Read the `secure-json-parse` https://github.com/fastify/secure-json-parse[documentation] to learn more. +
+_Default:_ `true`
 
 |`caFingerprint`
 |`string` - If configured, verify that the fingerprint of the CA certificate that has signed the certificate of the server matches the supplied fingerprint. Only accepts SHA256 digest fingerprints. +
diff --git a/docs/changelog.asciidoc b/docs/changelog.asciidoc
@@ -1,6 +1,26 @@
 [[changelog-client]]
 == Release notes
 
+[discrete]
+=== 8.16.0
+
+[discrete]
+==== Features
+
+[discrete]
+===== Support for Elasticsearch `v8.16`
+
+You can find all the API changes
+https://www.elastic.co/guide/en/elasticsearch/reference/8.16/release-notes-8.16.0.html[here].
+
+[discrete]
+==== Fixes
+
+[discrete]
+===== Pass prototype poisoning options to serializer correctly
+
+The client's `disablePrototypePoisoningProtection` option was set to `true` by default, but when it was set to any other value it was ignored, making it impossible to enable prototype poisoning protection without providing a custom serializer implementation.
+
 [discrete]
 === 8.15.1
 
diff --git a/src/client.ts b/src/client.ts
@@ -228,7 +228,21 @@ export default class Client extends API {
       this.diagnostic = opts[kChild].diagnostic
     } else {
       this.diagnostic = new Diagnostic()
-      this.serializer = new options.Serializer()
+
+      let serializerOptions
+      if (opts.disablePrototypePoisoningProtection != null) {
+        if (typeof opts.disablePrototypePoisoningProtection === 'boolean') {
+          serializerOptions = {
+            enablePrototypePoisoningProtection: !opts.disablePrototypePoisoningProtection
+          }
+        } else {
+          serializerOptions = {
+            enablePrototypePoisoningProtection: opts.disablePrototypePoisoningProtection
+          }
+        }
+      }
+      this.serializer = new options.Serializer(serializerOptions)
+
       this.connectionPool = new options.ConnectionPool({
         pingTimeout: options.pingTimeout,
         resurrectStrategy: options.resurrectStrategy,
diff --git a/test/unit/client.test.ts b/test/unit/client.test.ts
@@ -482,3 +482,49 @@ test('Ensure new client does not time out at default (30s) when client sets requ
     t.end()
   }
 })
+
+test('Pass disablePrototypePoisoningProtection option to serializer', async t => {
+  let client = new Client({
+    node: 'http://localhost:9200',
+    disablePrototypePoisoningProtection: false
+  })
+  t.same(client.serializer[symbols.kJsonOptions], {
+    protoAction: 'error',
+    constructorAction: 'error'
+  })
+
+  client = new Client({
+    node: 'http://localhost:9200',
+    disablePrototypePoisoningProtection: true
+  })
+  t.same(client.serializer[symbols.kJsonOptions], {
+    protoAction: 'ignore',
+    constructorAction: 'ignore'
+  })
+
+  client = new Client({
+    node: 'http://localhost:9200',
+    disablePrototypePoisoningProtection: 'proto'
+  })
+  t.same(client.serializer[symbols.kJsonOptions], {
+    protoAction: 'error',
+    constructorAction: 'ignore'
+  })
+
+  client = new Client({
+    node: 'http://localhost:9200',
+    disablePrototypePoisoningProtection: 'constructor'
+  })
+  t.same(client.serializer[symbols.kJsonOptions], {
+    protoAction: 'ignore',
+    constructorAction: 'error'
+  })
+})
+
+test('disablePrototypePoisoningProtection is true by default', async t => {
+  const client = new Client({ node: 'http://localhost:9200' })
+  t.same(client.serializer[symbols.kJsonOptions], {
+    protoAction: 'ignore',
+    constructorAction: 'ignore'
+  })
+})
