Fix safe handling of constructor null values

CLAUDE.md

@@ -0,0 +1,62 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is **secure-json-parse**, a drop-in replacement for `JSON.parse()` that protects against prototype poisoning attacks. The library detects and handles dangerous `__proto__` and `constructor` properties in JSON that could lead to prototype pollution vulnerabilities.
+
+## Architecture
+
+- **Single-file module**: `index.js` contains the core functionality
+- **Three main functions**:
+  - `parse()`: Main JSON parsing with security checks (supports reviver and options)
+  - `scan()` (exported as `filter`): Scans existing objects for dangerous properties  
+  - `safeParse()`: Returns undefined instead of throwing errors
+- **Security approach**: Uses regex pre-scanning for performance, then deep object traversal for thorough cleanup
+- **Enhanced security**: Now specifically targets `constructor.prototype` patterns rather than any `constructor` property
+- **Action modes**: `error` (default), `remove`, or `ignore` for both `protoAction` and `constructorAction`
+- **TypeScript support**: Includes TypeScript definitions in `types/` directory
+
+## Commands
+
+### Testing
+```bash
+npm test                # Run linting, unit tests, and TypeScript tests
+npm run test:unit       # Run unit tests only (tape)
+npm run test:typescript # Run TypeScript definition tests (tsd)
+npm run test:browser    # Run tests in browsers using airtap
+```
+
+### Linting
+```bash
+npm run lint            # Run ESLint with neostandard config
+npm run lint:fix        # Auto-fix linting issues where possible
+```
+
+### Benchmarking
+```bash
+npm run benchmark       # Run performance benchmarks against standard JSON.parse
+```
+
+### Code Standards
+- Uses **neostandard** with **ESLint 9** for linting
+- **Tape** for testing framework
+- **nyc** for test coverage
+- **tsd** for TypeScript definition testing
+- Test files located in `test/` directory (not root)
+
+### Git Workflow
+- Use `git commit -s` to add Developer Certificate of Origin signoff
+- Create feature branches for changes
+- All commits should include proper signoff for contribution tracking
+
+## Testing Notes
+
+- Tests cover all action combinations (`error`/`remove`/`ignore`)
+- Unicode escape sequence handling is thoroughly tested  
+- Buffer and BOM (Byte Order Mark) support included
+- Tests verify behavior with overwritten `hasOwnProperty`
+- Constructor null handling is tested to prevent TypeError
+- Enhanced security tests for `constructor.prototype` patterns specifically
+- TypeScript definitions are validated with test files in `types/`

index.js

@@ -76,6 +76,8 @@ function filter (obj, { protoAction = 'error', constructorAction = 'error', safe
 
       if (constructorAction !== 'ignore' &&
           Object.prototype.hasOwnProperty.call(node, 'constructor') &&
+          node.constructor !== null &&
+          typeof node.constructor === 'object' &&
           Object.prototype.hasOwnProperty.call(node.constructor, 'prototype')) { // Avoid calling node.hasOwnProperty directly
         if (safe === true) {
           return null

test/index.test.js

@@ -257,6 +257,27 @@ test('parse', t => {
       t.end()
     })
 
+    t.test('handles constructor null safely', t => {
+      // Test that constructor: null doesn't trigger prototype pollution checks
+      t.deepEqual(
+        j.parse('{"constructor": null}', { constructorAction: 'remove' }),
+        { constructor: null }
+      )
+
+      // Test that constructor: null doesn't throw error when using error action
+      t.deepEqual(
+        j.parse('{"constructor": null}', { constructorAction: 'error' }),
+        { constructor: null }
+      )
+
+      // Test that constructor: null is preserved when using ignore action
+      t.deepEqual(
+        j.parse('{"constructor": null}', { constructorAction: 'ignore' }),
+        { constructor: null }
+      )
+      t.end()
+    })
+
     t.end()
   })