Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-3040

deserializer does not handle fields named __proto__

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Not Needed

      https://github.com/mongodb/js-bson/issues/420

      BSON Version: 4.2.2

      When deserializing BSON, any field named _proto will attempt to set the special proto_ property, rather than add an enumerable property to the object.

      This is because there are no checks on the object[name] property assignment in multiple locations here: https://github.com/mongodb/js-bson/blob/master/src/parser/deserializer.ts#L177

      This is not in itself a security issue (there is no risk of modifying the global object prototype), but leads to inconsistent behaviour if an object with an enumerable _proto_ field is serialised.

      For example:

      const BSON = require('bson');

const original = JSON.parse('{"__proto__": {"foo": "bar"}}');
console.log(original);                     // { __proto__: { foo: 'bar' } }
console.log(original.foo);                 // undefined

const serialised = BSON.serialize(original);
const deserialised = BSON.deserialize(serialised);
console.log(deserialised);                 // {}
console.log(deserialised.foo);             // bar

            Assignee:
            Unassigned Unassigned
            Reporter:
            alexander.golin@mongodb.com Alexander Golin (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: