Skip to content

Commit 436b510

Browse files
delvedordelvedor
committed
Updated README
1 parent 90466dc commit 436b510

File tree

1 file changed

+30
-3
lines changed

1 file changed

+30
-3
lines changed

README.md

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88

99
Consider this:
1010

11-
```
11+
```js
1212
> const a = '{"__proto__":{ "b":5}}';
1313
'{"__proto__":{ "b":5}}'
1414

@@ -29,9 +29,29 @@ The problem is that `JSON.parse()` retains the `__proto__` property as a plain o
2929
itself, this is not a security issue. However, as soon as that object is assigned to another or
3030
iterated on and values copied, the `__proto__` property leaks and becomes the object's prototype.
3131

32+
## Install
33+
```
34+
npm install secure-json-parse
35+
```
36+
37+
## Usage
38+
39+
Pass the option object as a second (or third) parameter for configuring the action to take in case of a bad JSON, if nothing is configured, the default is to throw a `SyntaxError`.<br/>
40+
You can choose which action to perform in case `__proto__` is present, and in case `constructor` is present.
41+
42+
```js
43+
const sjson = require('secure-json-parse')
44+
45+
const goodJson = '{ "a": 5, "b": 6 }'
46+
const badJson = '{ "a": 5, "b": 6, "__proto__": { "x": 7 }, "constructor": {"prototype": {"bar": "baz"} } }'
47+
48+
console.log(JSON.parse(goodJson), sjson.parse(goodJson, { protoAction: 'remove', constructorAction: 'remove' }))
49+
console.log(JSON.parse(badJson), sjson.parse(badJson, { protoAction: 'remove', constructorAction: 'remove' }))
50+
```
51+
3252
## API
3353

34-
### `Bourne.parse(text, [reviver], [options])`
54+
### `sjson.parse(text, [reviver], [options])`
3555

3656
Parses a given JSON-formatted text into an object where:
3757
- `text` - the JSON text string.
@@ -41,15 +61,22 @@ Parses a given JSON-formatted text into an object where:
4161
- `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value.
4262
- `'remove'` - deletes any `__proto__` keys from the result object.
4363
- `'ignore'` - skips all validation (same as calling `JSON.parse()` directly).
64+
- `constructorAction` - optional string with one of:
65+
- `'error'` - throw a `SyntaxError` when a `constructor` key is found. This is the default value.
66+
- `'remove'` - deletes any `constructor` keys from the result object.
67+
- `'ignore'` - skips all validation (same as calling `JSON.parse()` directly).
4468

45-
### `Bourne.scan(obj, [options])`
69+
### `sjson.scan(obj, [options])`
4670

4771
Scans a given object for prototype properties where:
4872
- `obj` - the object being scanned.
4973
- `options` - optional configuration object where:
5074
- `protoAction` - optional string with one of:
5175
- `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value.
5276
- `'remove'` - deletes any `__proto__` keys from the input `obj`.
77+
- `constructorAction` - optional string with one of:
78+
- `'error'` - throw a `SyntaxError` when a `constructor` key is found. This is the default value.
79+
- `'remove'` - deletes any `constructor` keys from the input `obj`.
5380

5481
# Acknowledgements
5582
This project has been forked from [hapijs/bourne](https://github.com/hapijs/bourne).

0 commit comments

Comments
 (0)