Code style

Author: delvedor

index.js

@@ -0,0 +1,80 @@
+'use strict'
+
+const suspectRx = /"(?:_|\\u005[Ff])(?:_|\\u005[Ff])(?:p|\\u0070)(?:r|\\u0072)(?:o|\\u006[Ff])(?:t|\\u0074)(?:o|\\u006[Ff])(?:_|\\u005[Ff])(?:_|\\u005[Ff])"\s*:/
+
+function parse (text, reviver, options) {
+  // Normalize arguments
+  if (options == null) {
+    if (reviver != null && typeof reviver === 'object') {
+      options = reviver
+      reviver = undefined
+    } else {
+      options = {}
+    }
+  }
+
+  // Parse normally, allowing exceptions
+  const obj = JSON.parse(text, reviver)
+
+  // options.protoAction: 'error' (default) / 'remove' / 'ignore'
+  if (options.protoAction === 'ignore') {
+    return obj
+  }
+
+  // Ignore null and non-objects
+  if (!obj || typeof obj !== 'object') {
+    return obj
+  }
+
+  // Check original string for potential exploit
+  if (!text.match(suspectRx)) {
+    return obj
+  }
+
+  // Scan result for proto keys
+  scan(obj, options)
+
+  return obj
+}
+
+function scan (obj, options) {
+  options = options || {}
+
+  var next = [obj]
+
+  while (next.length) {
+    const nodes = next
+    next = []
+
+    for (const node of nodes) {
+      if (Object.prototype.hasOwnProperty.call(node, '__proto__')) { // Avoid calling node.hasOwnProperty directly
+        if (options.protoAction !== 'remove') {
+          throw new SyntaxError('Object contains forbidden prototype property')
+        }
+
+        delete node.__proto__ // eslint-disable-line
+      }
+
+      for (const key in node) {
+        const value = node[key]
+        if (value && typeof value === 'object') {
+          next.push(node[key])
+        }
+      }
+    }
+  }
+}
+
+function safeParse (text, reviver) {
+  try {
+    return parse(text, reviver)
+  } catch (ignoreError) {
+    return null
+  }
+}
+
+module.exports = {
+  parse,
+  scan,
+  safeParse
+}

lib/index.js

@@ -1,24 +1,25 @@
 {
-  "name": "@hapi/bourne",
+  "name": "secure-json-parse",
+  "version": "1.0.0",
   "description": "JSON parse with prototype poisoning protection",
-  "version": "1.3.2",
-  "repository": "git://github.com/hapijs/bourne",
-  "main": "lib/index.js",
-  "keywords": [
-    "JSON",
-    "parse",
-    "safe",
-    "prototype"
-  ],
-  "dependencies": {},
-  "devDependencies": {
-    "@hapi/code": "5.x.x",
-    "@hapi/lab": "18.x.x",
-    "benchmark": "^2.1.4"
-  },
+  "main": "index.js",
   "scripts": {
-    "test": "lab -a @hapi/code -t 100 -L",
-    "test-cov-html": "lab -a @hapi/code -r html -o coverage.html"
+    "test": "tap test.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/fastify/secure-json-parse.git"
   },
-  "license": "BSD-3-Clause"
+  "keywords": [],
+  "author": "Tomas Della Vedova",
+  "license": "BSD-3-Clause",
+  "bugs": {
+    "url": "https://github.com/fastify/secure-json-parse/issues"
+  },
+  "homepage": "https://github.com/fastify/secure-json-parse#readme",
+  "dependencies": {},
+  "devDependencies": {
+    "standard": "^12.0.1",
+    "tap": "^12.7.0"
+  }
 }