Use json reviver in express.json() middleware. (#913)

Gnuxie · web-flow · commit 5565ef3bc75d · 2025-06-24T13:49:04.000+01:00
diff --git a/src/utils.ts b/src/utils.ts
@@ -515,10 +515,18 @@ function patchMatrixClientForRetry() {
 let isMatrixClientPatchedForPrototypePollution = false;
 
 export function jsonReviver<T = unknown>(key: string, value: T): T | undefined {
-  if (key === "__proto__" || key === "constructor") {
-    return undefined;
-  } else {
-    return value;
+  switch (key) {
+    case "__proto__":
+    case "constructor":
+    case "prototype":
+    case "toString":
+    case "valueOf":
+    case "hasOwnProperty":
+    case "__defineGetter__":
+    case "__defineSetter__":
+      return undefined;
+    default:
+      return value;
   }
 }
 
diff --git a/src/webapis/WebAPIs.ts b/src/webapis/WebAPIs.ts
@@ -21,6 +21,7 @@ import {
 } from "@the-draupnir-project/matrix-basic-types";
 import { Logger, Task } from "matrix-protection-suite";
 import { SynapseHttpAntispam } from "./SynapseHTTPAntispam/SynapseHttpAntispam";
+import { jsonReviver } from "../utils";
 
 const log = new Logger("WebAPIs");
 
@@ -41,7 +42,7 @@ export class WebAPIs {
     private readonly synapseHTTPAntispam: SynapseHttpAntispam | undefined
   ) {
     // Setup JSON parsing.
-    this.webController.use(express.json());
+    this.webController.use(express.json({ reviver: jsonReviver }));
     this.synapseHTTPAntispam?.register(this.webController);
   }
 
