Disable prototype poisoning option (#1414)

* Introduce disablePrototypePoisoningProtection option * Updated test * Updated docs * Fix bundler test
2021-03-15 08:51:45 +01:00
parent 36eaed6466
commit 6a30cd9955
9 changed files with 166 additions and 31 deletions
--- a/test/unit/client.test.js
+++ b/test/unit/client.test.js
@ -1364,3 +1364,60 @@ test('Meta header disabled', t => {
    t.error(err)
  })
 })
+
+test('Prototype poisoning protection enabled by default', t => {
+  t.plan(1)
+
+  class MockConnection extends Connection {
+    request (params, callback) {
+      const stream = intoStream('{"__proto__":{"foo":"bar"}}')
+      stream.statusCode = 200
+      stream.headers = {
+        'content-type': 'application/json;utf=8',
+        'content-length': '27',
+        connection: 'keep-alive',
+        date: new Date().toISOString()
+      }
+      process.nextTick(callback, null, stream)
+      return { abort () {} }
+    }
+  }
+
+  const client = new Client({
+    node: 'http://localhost:9200',
+    Connection: MockConnection
+  })
+
+  client.info((err, result) => {
+    t.true(err instanceof errors.DeserializationError)
+  })
+})
+
+test('Disable prototype poisoning protection', t => {
+  t.plan(1)
+
+  class MockConnection extends Connection {
+    request (params, callback) {
+      const stream = intoStream('{"__proto__":{"foo":"bar"}}')
+      stream.statusCode = 200
+      stream.headers = {
+        'content-type': 'application/json;utf=8',
+        'content-length': '27',
+        connection: 'keep-alive',
+        date: new Date().toISOString()
+      }
+      process.nextTick(callback, null, stream)
+      return { abort () {} }
+    }
+  }
+
+  const client = new Client({
+    node: 'http://localhost:9200',
+    Connection: MockConnection,
+    disablePrototypePoisoningProtection: true
+  })
+
+  client.info((err, result) => {
+    t.error(err)
+  })
+})
--- a/test/unit/serializer.test.js
+++ b/test/unit/serializer.test.js
@ -157,3 +157,75 @@ test('DeserializationError', t => {
    t.ok(err instanceof DeserializationError)
  }
 })
+
+test('prototype poisoning protection', t => {
+  t.plan(2)
+  const s = new Serializer()
+  try {
+    s.deserialize('{"__proto__":{"foo":"bar"}}')
+    t.fail('Should fail')
+  } catch (err) {
+    t.ok(err instanceof DeserializationError)
+  }
+
+  try {
+    s.deserialize('{"constructor":{"prototype":{"foo":"bar"}}}')
+    t.fail('Should fail')
+  } catch (err) {
+    t.ok(err instanceof DeserializationError)
+  }
+})
+
+test('disable prototype poisoning protection', t => {
+  t.plan(2)
+  const s = new Serializer({ disablePrototypePoisoningProtection: true })
+  try {
+    s.deserialize('{"__proto__":{"foo":"bar"}}')
+    t.pass('Should not fail')
+  } catch (err) {
+    t.fail(err)
+  }
+
+  try {
+    s.deserialize('{"constructor":{"prototype":{"foo":"bar"}}}')
+    t.pass('Should not fail')
+  } catch (err) {
+    t.fail(err)
+  }
+})
+
+test('disable prototype poisoning protection only for proto', t => {
+  t.plan(2)
+  const s = new Serializer({ disablePrototypePoisoningProtection: 'proto' })
+  try {
+    s.deserialize('{"__proto__":{"foo":"bar"}}')
+    t.pass('Should not fail')
+  } catch (err) {
+    t.fail(err)
+  }
+
+  try {
+    s.deserialize('{"constructor":{"prototype":{"foo":"bar"}}}')
+    t.fail('Should fail')
+  } catch (err) {
+    t.ok(err instanceof DeserializationError)
+  }
+})
+
+test('disable prototype poisoning protection only for constructor', t => {
+  t.plan(2)
+  const s = new Serializer({ disablePrototypePoisoningProtection: 'constructor' })
+  try {
+    s.deserialize('{"__proto__":{"foo":"bar"}}')
+    t.fail('Should fail')
+  } catch (err) {
+    t.ok(err instanceof DeserializationError)
+  }
+
+  try {
+    s.deserialize('{"constructor":{"prototype":{"foo":"bar"}}}')
+    t.pass('Should not fail')
+  } catch (err) {
+    t.fail(err)
+  }
+})