[Backport 5.x] Secure json parsing (#1111)

* Safe json parsing * Updated test Co-authored-by: Tomas Della Vedova <delvedor@users.noreply.github.com>
elastic · Mar 13, 2020 · 5d0b419 · 5d0b419
1 parent 7529cd8
commit 5d0b419
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 2 deletions.
diff --git a/lib/Serializer.js b/lib/Serializer.js
@@ -6,6 +6,7 @@
 
 const { stringify } = require('querystring')
 const debug = require('debug')('elasticsearch')
+const sjson = require('secure-json-parse')
 const { SerializationError, DeserializationError } = require('./errors')
 
 class Serializer {
@@ -22,7 +23,7 @@ class Serializer {
   deserialize (json) {
     debug('Deserializing', json)
     try {
-      var object = JSON.parse(json)
+      var object = sjson.parse(json)
     } catch (err) {
       throw new DeserializationError(err.message)
     }

diff --git a/package.json b/package.json
@@ -66,7 +66,8 @@
     "into-stream": "^5.1.0",
     "ms": "^2.1.1",
     "once": "^1.4.0",
-    "pump": "^3.0.0"
+    "pump": "^3.0.0",
+    "secure-json-parse": "^2.1.0"
   },
   "license": "Apache-2.0",
   "repository": {

diff --git a/test/unit/transport.test.js b/test/unit/transport.test.js
@@ -2209,3 +2209,71 @@ test('Should pass request params and options to generateRequestId', t => {
 
   transport.request(params, options, t.error)
 })
+
+test('Secure json parsing', t => {
+  t.test('__proto__ protection', t => {
+    t.plan(2)
+    function handler (req, res) {
+      res.setHeader('Content-Type', 'application/json;utf=8')
+      res.end('{"__proto__":{"a":1}}')
+    }
+
+    buildServer(handler, ({ port }, server) => {
+      const pool = new ConnectionPool({ Connection })
+      pool.addConnection(`http://localhost:${port}`)
+
+      const transport = new Transport({
+        emit: () => {},
+        connectionPool: pool,
+        serializer: new Serializer(),
+        maxRetries: 3,
+        requestTimeout: 30000,
+        sniffInterval: false,
+        sniffOnStart: false
+      })
+
+      transport.request({
+        method: 'GET',
+        path: '/hello'
+      }, (err, { body }) => {
+        t.true(err instanceof DeserializationError)
+        t.is(err.message, 'Object contains forbidden prototype property')
+        server.stop()
+      })
+    })
+  })
+
+  t.test('constructor protection', t => {
+    t.plan(2)
+    function handler (req, res) {
+      res.setHeader('Content-Type', 'application/json;utf=8')
+      res.end('{"constructor":{"prototype":{"bar":"baz"}}}')
+    }
+
+    buildServer(handler, ({ port }, server) => {
+      const pool = new ConnectionPool({ Connection })
+      pool.addConnection(`http://localhost:${port}`)
+
+      const transport = new Transport({
+        emit: () => {},
+        connectionPool: pool,
+        serializer: new Serializer(),
+        maxRetries: 3,
+        requestTimeout: 30000,
+        sniffInterval: false,
+        sniffOnStart: false
+      })
+
+      transport.request({
+        method: 'GET',
+        path: '/hello'
+      }, (err, { body }) => {
+        t.true(err instanceof DeserializationError)
+        t.is(err.message, 'Object contains forbidden prototype property')
+        server.stop()
+      })
+    })
+  })
+
+  t.end()
+})