Disable __proto__
There have been quite a few CVE related to __proto__ in the last while. I think it would be good to have a flag to enable/disable it.
A quick example:
const payload = '{"__proto__": null}' const a = {} console.log("Before : " + a) // this works Object.assign(a, JSON.parse(payload)) console.log("After : " + a) // this crashes
(It's not strictly related to JSON, as it can also apply to multipart data or other serialization format).
Some vulnerabilities:
- https://www.npmjs.com/advisories/1480
- https://snyk.io/vuln/npm:hoek:20180212
- https://www.npmjs.com/advisories/577
- (There are probably way more)
I don't know if this is fixable / manageable on our side (vs V8), but __proto__ still causes significant vulnerabilities.
Note that there are some modules to help with this, including https://github.com/hapijs/bourne.