Hi,
Standard JSON.parse prevents people from injecting __proto__ into the parsed objects, which are all derived from Object. Instead an "own property" called __proto__ is created. However, this is still relatively dangerous, as code higher up the chain which is not also explicitly defending against __proto__ injections may inadvertantly override the prototype chain with an attacker's input.
I would like to propose that creating __proto__ members is rejected in Jessie. To my understanding, Jessie already rejects mutable properties, so code can't later set obj.__proto__ = {}. However, I would also like to see the attempt to create the following Jessie object produce an error:
let abc = { "__proto__": {}};Silently creating an "own property" is quite scary, and IMO should be rejected even if it makes Jessie not entirely a static superset of JSON.
Thoughts?
Michael.
Hi,
Standard
JSON.parseprevents people from injecting__proto__into the parsed objects, which are all derived fromObject. Instead an "own property" called__proto__is created. However, this is still relatively dangerous, as code higher up the chain which is not also explicitly defending against__proto__injections may inadvertantly override the prototype chain with an attacker's input.I would like to propose that creating
__proto__members is rejected in Jessie. To my understanding, Jessie already rejects mutable properties, so code can't later setobj.__proto__ = {}. However, I would also like to see the attempt to create the following Jessie object produce an error:Silently creating an "own property" is quite scary, and IMO should be rejected even if it makes Jessie not entirely a static superset of JSON.
Thoughts?
Michael.