superjson: superjson throws on constructor property
superjson recently started throwing on values that contain a constructor property:
superjson.stringify({ constructor: { name: 'hello' } })
// throws Error: Detected property constructor. This is a prototype pollution risk, please remove it from your object.
We’re transferring values that contain jsonschemas that describe user generated typescript interfaces. Therefore we don’t have control over which property names are in our objects, but we do know they are plain javascript objects.
Any way this restriction can be relaxed again?
About this issue
- Original URL
- State: open
- Created 7 months ago
- Reactions: 1
- Comments: 16 (8 by maintainers)
Commits related to this issue
- fix: add repro for https://github.com/blitz-js/superjson/issues/279#issuecomment-1842647002 — committed to blitz-js/superjson by Skn0tt 7 months ago
I won’t in the near future, but I may pick this up at some point if it doesn’t get implemented.
I have not considered this yet, actually. If we can prevent prototype pollution with this, i’d be happy to! @Janpot would you be willing to work on a PR with this?
No, the parsing side reads the metadata to find the original prototype / constructor. The exception you’re seeing was added in response to https://github.com/blitz-js/superjson/pull/267 - we’re trying to catch invalid inputs on parsing, not on serialisation. Otherwise you’ll store something in your database, only to realise that you can’t retrieve it anymore when parsing.