Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Query fails with "DeserializationError: Object contains forbidden prototype property" when the response object has a "constructor" key

See original GitHub issue

🐛 Bug Report

Query fails with DeserializationError: Object contains forbidden prototype property.

This started happening when we upgraded from v7.3 to v7.11. This PR seems to be the cause: https://github.com/elastic/elasticsearch-js/pull/1110

To Reproduce

Issue a query that results in constructor being an object key in the JSON response. In our case it was detected in a request to the Term Vectors API, but I guess it can happen in many other places, like in an aggregation named constructor, etc. Example from the Term Vectors API response that affected us:

{
  "constructor": {
    "doc_freq": 1,
    "ttf": 1,
    "term_freq": 1
  }
}

See https://github.com/elastic/elasticsearch-js/pull/1110#issuecomment-790479130 for a full example.

Expected behavior

No errors thrown from a perfectly valid response.

Your Environment

node version: 14
@elastic/elasticsearch version: 7.11
os: Linux

Issue Analytics

State:
Created 3 years ago
Comments:19 (8 by maintainers)

Top GitHub Comments

1reaction

diegomansuacommented, Mar 8, 2021

I really think this is the wrong approach here, and that the potential vulnerability that tries to avoid is completely out of the scope of a client lib like this. I wonder if popular requests libraries like node-fetch or axios would throw similar errors when calling an API with constructor as key in the response (or maybe the browsers standard fetch API?). Or a database client library failing to query a table with a column named constructor. I’d be puzzled, just like I was (am) when I came across this. Quite disappointing.

0reactions

delvedorcommented, Mar 16, 2021

Hello! The dev tools UI in Kibana is not using the client, but a plain HTTP proxy. The json parser does a full object traversal to detect dangerous keys, and has been updated to be more strict and only throw an error if the constructor key is an object which contains a prototype key. The option to disable more easily the prototype poisoning protection introduced in #1414 will land in the next minor of the client, but you can already disable it by injecting a custom serializer as shown above.

Top Results From Across the Web

Parse JSON String into a Particular Object Prototype in ...

I want to know how to convert a JSON string into a "Foo" Object. That is, my Object should now have a function...

Object.prototype.__proto__ - JavaScript - MDN Web Docs

prototype is an accessor property (a getter function and a setter function) that exposes the internal [[Prototype]] (either an object or null ) ......

NodeJS - __proto__ & prototype Pollution - HackTricks

First of all, we need to understand Object in JavaScript. An object is simply a collection of key and value pairs, often called...

Mongoose v6.8.1: API docs

Getter/setter around function for pluralizing collection names. Mongoose.prototype.sanitizeFilter(). Parameters. filter «Object». Sanitizes query filters ...

Changelog - SAP Capire

[cds.java@1.30.0] The sap-language query parameter now has lower priority than ... The max-failed-attempts property for a messaging queue configuration has ...