[Backport 7.x] Secure json parsing (#1113)

* Safe json parsing * Updated test Co-authored-by: Tomas Della Vedova <delvedor@users.noreply.github.com>
2020-03-13 09:29:40 +01:00
parent db67c526e4
commit ca23e0b23a
3 changed files with 72 additions and 2 deletions
--- a/lib/Serializer.js
+++ b/lib/Serializer.js
@ -6,6 +6,7 @@

 const { stringify } = require('querystring')
 const debug = require('debug')('elasticsearch')
+const sjson = require('secure-json-parse')
 const { SerializationError, DeserializationError } = require('./errors')

 class Serializer {
@ -22,7 +23,7 @@ class Serializer {
  deserialize (json) {
    debug('Deserializing', json)
    try {
-      var object = JSON.parse(json)
+      var object = sjson.parse(json)
    } catch (err) {
      throw new DeserializationError(err.message)
    }
--- a/package.json
+++ b/package.json
@ -67,7 +67,8 @@
    "into-stream": "^5.1.0",
    "ms": "^2.1.1",
    "once": "^1.4.0",
-    "pump": "^3.0.0"
+    "pump": "^3.0.0",
+    "secure-json-parse": "^2.1.0"
  },
  "license": "Apache-2.0",
  "repository": {
--- a/test/unit/transport.test.js
+++ b/test/unit/transport.test.js
@ -2157,3 +2157,71 @@ test('Should pass request params and options to generateRequestId', t => {

  transport.request(params, options, t.error)
 })
+
+test('Secure json parsing', t => {
+  t.test('__proto__ protection', t => {
+    t.plan(2)
+    function handler (req, res) {
+      res.setHeader('Content-Type', 'application/json;utf=8')
+      res.end('{"__proto__":{"a":1}}')
+    }
+
+    buildServer(handler, ({ port }, server) => {
+      const pool = new ConnectionPool({ Connection })
+      pool.addConnection(`http://localhost:${port}`)
+
+      const transport = new Transport({
+        emit: () => {},
+        connectionPool: pool,
+        serializer: new Serializer(),
+        maxRetries: 3,
+        requestTimeout: 30000,
+        sniffInterval: false,
+        sniffOnStart: false
+      })
+
+      transport.request({
+        method: 'GET',
+        path: '/hello'
+      }, (err, { body }) => {
+        t.true(err instanceof DeserializationError)
+        t.is(err.message, 'Object contains forbidden prototype property')
+        server.stop()
+      })
+    })
+  })
+
+  t.test('constructor protection', t => {
+    t.plan(2)
+    function handler (req, res) {
+      res.setHeader('Content-Type', 'application/json;utf=8')
+      res.end('{"constructor":{"prototype":{"bar":"baz"}}}')
+    }
+
+    buildServer(handler, ({ port }, server) => {
+      const pool = new ConnectionPool({ Connection })
+      pool.addConnection(`http://localhost:${port}`)
+
+      const transport = new Transport({
+        emit: () => {},
+        connectionPool: pool,
+        serializer: new Serializer(),
+        maxRetries: 3,
+        requestTimeout: 30000,
+        sniffInterval: false,
+        sniffOnStart: false
+      })
+
+      transport.request({
+        method: 'GET',
+        path: '/hello'
+      }, (err, { body }) => {
+        t.true(err instanceof DeserializationError)
+        t.is(err.message, 'Object contains forbidden prototype property')
+        server.stop()
+      })
+    })
+  })
+
+  t.end()
+})