From 6839df018af58fa4fbfacbab46a72f7d80718f18 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 13 Mar 2020 09:29:55 +0100 Subject: [PATCH] [Backport 6.x] Secure json parsing (#1112) * Safe json parsing * Updated test Co-authored-by: Tomas Della Vedova --- lib/Serializer.js | 3 +- package.json | 3 +- test/unit/transport.test.js | 68 +++++++++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+), 2 deletions(-) diff --git a/lib/Serializer.js b/lib/Serializer.js index 8bb298a79..1ff00e057 100644 --- a/lib/Serializer.js +++ b/lib/Serializer.js @@ -6,6 +6,7 @@ const { stringify } = require('querystring') const debug = require('debug')('elasticsearch') +const sjson = require('secure-json-parse') const { SerializationError, DeserializationError } = require('./errors') class Serializer { @@ -22,7 +23,7 @@ class Serializer { deserialize (json) { debug('Deserializing', json) try { - var object = JSON.parse(json) + var object = sjson.parse(json) } catch (err) { throw new DeserializationError(err.message) } diff --git a/package.json b/package.json index 3fc895836..4542fd5c4 100644 --- a/package.json +++ b/package.json @@ -66,7 +66,8 @@ "into-stream": "^5.1.0", "ms": "^2.1.1", "once": "^1.4.0", - "pump": "^3.0.0" + "pump": "^3.0.0", + "secure-json-parse": "^2.1.0" }, "license": "Apache-2.0", "repository": { diff --git a/test/unit/transport.test.js b/test/unit/transport.test.js index bd7763c32..1abf0e3dd 100644 --- a/test/unit/transport.test.js +++ b/test/unit/transport.test.js @@ -2157,3 +2157,71 @@ test('Should pass request params and options to generateRequestId', t => { transport.request(params, options, t.error) }) + +test('Secure json parsing', t => { + t.test('__proto__ protection', t => { + t.plan(2) + function handler (req, res) { + res.setHeader('Content-Type', 'application/json;utf=8') + res.end('{"__proto__":{"a":1}}') + } + + buildServer(handler, ({ port }, server) => { + const pool = new ConnectionPool({ Connection }) + pool.addConnection(`http://localhost:${port}`) + + const transport = new Transport({ + emit: () => {}, + connectionPool: pool, + serializer: new Serializer(), + maxRetries: 3, + requestTimeout: 30000, + sniffInterval: false, + sniffOnStart: false + }) + + transport.request({ + method: 'GET', + path: '/hello' + }, (err, { body }) => { + t.true(err instanceof DeserializationError) + t.is(err.message, 'Object contains forbidden prototype property') + server.stop() + }) + }) + }) + + t.test('constructor protection', t => { + t.plan(2) + function handler (req, res) { + res.setHeader('Content-Type', 'application/json;utf=8') + res.end('{"constructor":{"prototype":{"bar":"baz"}}}') + } + + buildServer(handler, ({ port }, server) => { + const pool = new ConnectionPool({ Connection }) + pool.addConnection(`http://localhost:${port}`) + + const transport = new Transport({ + emit: () => {}, + connectionPool: pool, + serializer: new Serializer(), + maxRetries: 3, + requestTimeout: 30000, + sniffInterval: false, + sniffOnStart: false + }) + + transport.request({ + method: 'GET', + path: '/hello' + }, (err, { body }) => { + t.true(err instanceof DeserializationError) + t.is(err.message, 'Object contains forbidden prototype property') + server.stop() + }) + }) + }) + + t.end() +})