@@ -48,91 +48,256 @@ test('parse', t => {
4848 t . end ( )
4949 } )
5050
51- t . test ( 'sanitizes object string (reviver, options)' , t => {
52- const reviver = ( key , value ) => {
53- return typeof value === 'number' ? value + 1 : value
54- }
51+ t . test ( 'protoAction' , t => {
52+ t . test ( 'sanitizes object string (reviver, options)' , t => {
53+ const reviver = ( key , value ) => {
54+ return typeof value === 'number' ? value + 1 : value
55+ }
5556
56- t . deepEqual (
57- j . parse ( '{"a": 5, "b": 6,"__proto__": { "x": 7 }}' , reviver , { protoAction : 'remove' } ) ,
58- { a : 6 , b : 7 }
59- )
60- t . end ( )
61- } )
57+ t . deepEqual (
58+ j . parse ( '{"a": 5, "b": 6,"__proto__": { "x": 7 }}' , reviver , { protoAction : 'remove' } ) ,
59+ { a : 6 , b : 7 }
60+ )
61+ t . end ( )
62+ } )
6263
63- t . test ( 'sanitizes object string (options)' , t => {
64- t . deepEqual (
65- j . parse ( '{"a": 5, "b": 6,"__proto__": { "x": 7 }}' , { protoAction : 'remove' } ) ,
66- { a : 5 , b : 6 }
67- )
68- t . end ( )
69- } )
64+ t . test ( 'sanitizes object string (options)' , t => {
65+ t . deepEqual (
66+ j . parse ( '{"a": 5, "b": 6,"__proto__": { "x": 7 }}' , { protoAction : 'remove' } ) ,
67+ { a : 5 , b : 6 }
68+ )
69+ t . end ( )
70+ } )
7071
71- t . test ( 'sanitizes object string (null, options)' , t => {
72- t . deepEqual (
73- j . parse ( '{"a": 5, "b": 6,"__proto__": { "x": 7 }}' , null , { protoAction : 'remove' } ) ,
74- { a : 5 , b : 6 }
75- )
76- t . end ( )
77- } )
72+ t . test ( 'sanitizes object string (null, options)' , t => {
73+ t . deepEqual (
74+ j . parse ( '{"a": 5, "b": 6,"__proto__": { "x": 7 }}' , null , { protoAction : 'remove' } ) ,
75+ { a : 5 , b : 6 }
76+ )
77+ t . end ( )
78+ } )
7879
79- t . test ( 'sanitizes object string (null, options)' , t => {
80- t . deepEqual (
81- j . parse ( '{"a": 5, "b": 6,"__proto__": { "x": 7 }}' , { protoAction : 'remove' } ) ,
82- { a : 5 , b : 6 }
83- )
84- t . end ( )
85- } )
80+ t . test ( 'sanitizes object string (null, options)' , t => {
81+ t . deepEqual (
82+ j . parse ( '{"a": 5, "b": 6,"__proto__": { "x": 7 }}' , { protoAction : 'remove' } ) ,
83+ { a : 5 , b : 6 }
84+ )
85+ t . end ( )
86+ } )
8687
87- t . test ( 'sanitizes nested object string' , t => {
88- t . deepEqual (
89- j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 }, "c": { "d": 0, "e": "text", "__proto__": { "y": 8 }, "f": { "g": 2 } } }' , { protoAction : 'remove' } ) ,
90- { a : 5 , b : 6 , c : { d : 0 , e : 'text' , f : { g : 2 } } }
91- )
92- t . end ( )
93- } )
88+ t . test ( 'sanitizes nested object string' , t => {
89+ t . deepEqual (
90+ j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 }, "c": { "d": 0, "e": "text", "__proto__": { "y": 8 }, "f": { "g": 2 } } }' , { protoAction : 'remove' } ) ,
91+ { a : 5 , b : 6 , c : { d : 0 , e : 'text' , f : { g : 2 } } }
92+ )
93+ t . end ( )
94+ } )
9495
95- t . test ( 'ignores proto property' , t => {
96- t . deepEqual (
97- j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' , { protoAction : 'ignore' } ) ,
98- JSON . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' )
99- )
100- t . end ( )
101- } )
96+ t . test ( 'ignores proto property' , t => {
97+ t . deepEqual (
98+ j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' , { protoAction : 'ignore' } ) ,
99+ JSON . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' )
100+ )
101+ t . end ( )
102+ } )
102103
103- t . test ( 'ignores proto value' , t => {
104- t . deepEqual (
105- j . parse ( '{"a": 5, "b": "__proto__"}' ) ,
106- { a : 5 , b : '__proto__' }
107- )
108- t . end ( )
109- } )
104+ t . test ( 'ignores proto value' , t => {
105+ t . deepEqual (
106+ j . parse ( '{"a": 5, "b": "__proto__"}' ) ,
107+ { a : 5 , b : '__proto__' }
108+ )
109+ t . end ( )
110+ } )
110111
111- t . test ( 'errors on proto property' , t => {
112- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' ) , SyntaxError )
113- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__" : { "x": 7 } }' ) , SyntaxError )
114- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__" \n\r\t : { "x": 7 } }' ) , SyntaxError )
115- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__" \n \r \t : { "x": 7 } }' ) , SyntaxError )
116- t . end ( )
117- } )
112+ t . test ( 'errors on proto property' , t => {
113+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' ) , SyntaxError )
114+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__" : { "x": 7 } }' ) , SyntaxError )
115+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__" \n\r\t : { "x": 7 } }' ) , SyntaxError )
116+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__" \n \r \t : { "x": 7 } }' ) , SyntaxError )
117+ t . end ( )
118+ } )
119+
120+ t . test ( 'errors on proto property (null, null)' , t => {
121+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' , null , null ) , SyntaxError )
122+ t . end ( )
123+ } )
124+
125+ t . test ( 'errors on proto property (explicit options)' , t => {
126+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' , { protoAction : 'error' } ) , SyntaxError )
127+ t . end ( )
128+ } )
129+
130+ t . test ( 'errors on proto property (unicode)' , t => {
131+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u005f_proto__": { "x": 7 } }' ) , SyntaxError )
132+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "_\\u005fp\\u0072oto__": { "x": 7 } }' ) , SyntaxError )
133+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u005f\\u005f\\u0070\\u0072\\u006f\\u0074\\u006f\\u005f\\u005f": { "x": 7 } }' ) , SyntaxError )
134+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u005F_proto__": { "x": 7 } }' ) , SyntaxError )
135+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "_\\u005Fp\\u0072oto__": { "x": 7 } }' ) , SyntaxError )
136+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u005F\\u005F\\u0070\\u0072\\u006F\\u0074\\u006F\\u005F\\u005F": { "x": 7 } }' ) , SyntaxError )
137+ t . end ( )
138+ } )
118139
119- t . test ( 'errors on proto property (null, null)' , t => {
120- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' , null , null ) , SyntaxError )
121140 t . end ( )
122141 } )
123142
124- t . test ( 'errors on proto property (explicit options)' , t => {
125- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' , { protoAction : 'error' } ) , SyntaxError )
143+ t . test ( 'constructorAction' , t => {
144+ t . test ( 'sanitizes object string (reviver, options)' , t => {
145+ const reviver = ( key , value ) => {
146+ return typeof value === 'number' ? value + 1 : value
147+ }
148+
149+ t . deepEqual (
150+ j . parse ( '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}} }' , reviver , { constructorAction : 'remove' } ) ,
151+ { a : 6 , b : 7 }
152+ )
153+ t . end ( )
154+ } )
155+
156+ t . test ( 'sanitizes object string (options)' , t => {
157+ t . deepEqual (
158+ j . parse ( '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}} }' , { constructorAction : 'remove' } ) ,
159+ { a : 5 , b : 6 }
160+ )
161+ t . end ( )
162+ } )
163+
164+ t . test ( 'sanitizes object string (null, options)' , t => {
165+ t . deepEqual (
166+ j . parse ( '{"a": 5, "b": 6,"constructor":{"prototype":{"bar":"baz"}} }' , null , { constructorAction : 'remove' } ) ,
167+ { a : 5 , b : 6 }
168+ )
169+ t . end ( )
170+ } )
171+
172+ t . test ( 'sanitizes object string (null, options)' , t => {
173+ t . deepEqual (
174+ j . parse ( '{"a": 5, "b": 6,"constructor":{"prototype":{"bar":"baz"}} }' , { constructorAction : 'remove' } ) ,
175+ { a : 5 , b : 6 }
176+ )
177+ t . end ( )
178+ } )
179+
180+ t . test ( 'sanitizes nested object string' , t => {
181+ t . deepEqual (
182+ j . parse ( '{ "a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "c": { "d": 0, "e": "text", "constructor":{"prototype":{"bar":"baz"}}, "f": { "g": 2 } } }' , { constructorAction : 'remove' } ) ,
183+ { a : 5 , b : 6 , c : { d : 0 , e : 'text' , f : { g : 2 } } }
184+ )
185+ t . end ( )
186+ } )
187+
188+ t . test ( 'ignores proto property' , t => {
189+ t . deepEqual (
190+ j . parse ( '{ "a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}} }' , { constructorAction : 'ignore' } ) ,
191+ JSON . parse ( '{ "a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}} }' )
192+ )
193+ t . end ( )
194+ } )
195+
196+ t . test ( 'ignores proto value' , t => {
197+ t . deepEqual (
198+ j . parse ( '{"a": 5, "b": "constructor"}' ) ,
199+ { a : 5 , b : 'constructor' }
200+ )
201+ t . end ( )
202+ } )
203+
204+ t . test ( 'errors on proto property' , t => {
205+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "constructor": {"prototype":{"bar":"baz"}} }' ) , SyntaxError )
206+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "constructor" : {"prototype":{"bar":"baz"}} }' ) , SyntaxError )
207+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "constructor" \n\r\t : {"prototype":{"bar":"baz"}} }' ) , SyntaxError )
208+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "constructor" \n \r \t : {"prototype":{"bar":"baz"}} }' ) , SyntaxError )
209+ t . end ( )
210+ } )
211+
212+ t . test ( 'errors on proto property (null, null)' , t => {
213+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}} }' , null , null ) , SyntaxError )
214+ t . end ( )
215+ } )
216+
217+ t . test ( 'errors on proto property (explicit options)' , t => {
218+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}} }' , { constructorAction : 'error' } ) , SyntaxError )
219+ t . end ( )
220+ } )
221+
222+ t . test ( 'errors on proto property (unicode)' , t => {
223+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u0063\\u006fnstructor": {"prototype":{"bar":"baz"}} }' ) , SyntaxError )
224+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u0063\\u006f\\u006e\\u0073\\u0074ructor": {"prototype":{"bar":"baz"}} }' ) , SyntaxError )
225+ t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u0063\\u006f\\u006e\\u0073\\u0074\\u0072\\u0075\\u0063\\u0074\\u006f\\u0072": {"prototype":{"bar":"baz"}} }' ) , SyntaxError )
226+ t . end ( )
227+ } )
228+
126229 t . end ( )
127230 } )
128231
129- t . test ( 'errors on proto property (unicode)' , t => {
130- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u005f_proto__": { "x": 7 } }' ) , SyntaxError )
131- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "_\\u005fp\\u0072oto__": { "x": 7 } }' ) , SyntaxError )
132- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u005f\\u005f\\u0070\\u0072\\u006f\\u0074\\u006f\\u005f\\u005f": { "x": 7 } }' ) , SyntaxError )
133- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u005F_proto__": { "x": 7 } }' ) , SyntaxError )
134- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "_\\u005Fp\\u0072oto__": { "x": 7 } }' ) , SyntaxError )
135- t . throws ( ( ) => j . parse ( '{ "a": 5, "b": 6, "\\u005F\\u005F\\u0070\\u0072\\u006F\\u0074\\u006F\\u005F\\u005F": { "x": 7 } }' ) , SyntaxError )
232+ t . test ( 'protoAction and constructorAction' , t => {
233+ t . test ( 'protoAction=remove constructorAction=remove' , t => {
234+ t . deepEqual (
235+ j . parse (
236+ '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }' ,
237+ { protoAction : 'remove' , constructorAction : 'remove' }
238+ ) ,
239+ { a : 5 , b : 6 }
240+ )
241+ t . end ( )
242+ } )
243+
244+ t . test ( 'protoAction=ignore constructorAction=remove' , t => {
245+ t . deepEqual (
246+ j . parse (
247+ '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }' ,
248+ { protoAction : 'ignore' , constructorAction : 'remove' }
249+ ) ,
250+ JSON . parse ( '{ "a": 5, "b": 6, "__proto__": { "x": 7 } }' )
251+ )
252+ t . end ( )
253+ } )
254+
255+ t . test ( 'protoAction=remove constructorAction=ignore' , t => {
256+ t . deepEqual (
257+ j . parse (
258+ '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }' ,
259+ { protoAction : 'remove' , constructorAction : 'ignore' }
260+ ) ,
261+ JSON . parse ( '{ "a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}} }' )
262+ )
263+ t . end ( )
264+ } )
265+
266+ t . test ( 'protoAction=ignore constructorAction=ignore' , t => {
267+ t . deepEqual (
268+ j . parse (
269+ '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }' ,
270+ { protoAction : 'ignore' , constructorAction : 'ignore' }
271+ ) ,
272+ JSON . parse ( '{ "a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }' )
273+ )
274+ t . end ( )
275+ } )
276+
277+ t . test ( 'protoAction=error constructorAction=ignore' , t => {
278+ t . throws ( ( ) => j . parse (
279+ '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }' ,
280+ { protoAction : 'error' , constructorAction : 'ignore' }
281+ ) , SyntaxError )
282+ t . end ( )
283+ } )
284+
285+ t . test ( 'protoAction=ignore constructorAction=error' , t => {
286+ t . throws ( ( ) => j . parse (
287+ '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }' ,
288+ { protoAction : 'ignore' , constructorAction : 'error' }
289+ ) , SyntaxError )
290+ t . end ( )
291+ } )
292+
293+ t . test ( 'protoAction=error constructorAction=error' , t => {
294+ t . throws ( ( ) => j . parse (
295+ '{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }' ,
296+ { protoAction : 'error' , constructorAction : 'error' }
297+ ) , SyntaxError )
298+ t . end ( )
299+ } )
300+
136301 t . end ( )
137302 } )
138303
0 commit comments