Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Implement a proto check option

See original GitHub issue

Eran Hammer posted an article on proto poisoning and his solution in joi/hapi: https://hueniverse.com/a-tale-of-prototype-poisoning-2610fa170061

@rgrove posted a simple implementation of a fix for this: https://gist.github.com/rgrove/3ea9421b3912235e978f55e291f19d5d

However the fix requires a custom reviver that might slow down the default/valid parsing case, Eran prevented this by using an initial check for __proto__. It might be good to add this as a default to be checked for in body-parser in general that can be switched off… if someone wants to do so.

Issue Analytics

State:
Created 5 years ago
Reactions:2
Comments:16 (7 by maintainers)

Top GitHub Comments

3reactions

damien-gitcommented, Sep 22, 2020

@dougwilson I would personally like to see a prototype pollution protection added to express. I doubt there are many legitimate uses of __proto__ and constructor properties in requests parsed by body-parser, and removing them in a new version sounds like an worthy improvement to me. I do some input sanitation in my code, and then sometimes I let external libraries do it (such as sequelize with type validation). I don’t feel like checking if these libraries are doing the right thing related to prototype pollution, but I would sleep better knowing that even if they don’t handle it right, express will catch this issue before.

2reactions

JaneJeoncommented, Oct 12, 2021

@rgrove unless if I’m misunderstanding the docs incorrectly, can’t the Bourne check also be done within the body-parser middleware w/o the need to add a bespoke one after body-parser.json()?

express.json({
      verify: (req, res, buf, encoding) => {
        scan(req.body)
      }
    })

Top Results From Across the Web

Language Guide | Protocol Buffers - Google Developers

proto files, use C/C++-style // and /* ... */ syntax. /* SearchRequest represents a search query, with pagination options ...

How To Implement Field Presence for Proto3 - GitHub

Proto3 descriptors already use LABEL_OPTIONAL for proto3 singular fields, ... --experimental_allow_proto3_optional # Another option: $ cp test.proto ...

[protobuf] How to handle options in compiler plugin?

Also, are there some test proto files, with binary data, which I can use to ... show us the .proto code you are...

Protocol Buffers for (Coding) Dummies - GitHub Pages

Long answer: You technically have other options for data serialization. ... Help, I have multiple directories to search for .proto files in.

Working with Proto DataStore - Android Developers

To learn hands-on how to use Preferences DataStore, check out this codelab. What you'll learn. What DataStore is and why you should use...