superjson: superjson throws on constructor property

superjson recently started throwing on values that contain a constructor property:

superjson.stringify({ constructor: { name: 'hello' } })
// throws Error: Detected property constructor. This is a prototype pollution risk, please remove it from your object.

We’re transferring values that contain jsonschemas that describe user generated typescript interfaces. Therefore we don’t have control over which property names are in our objects, but we do know they are plain javascript objects.

Any way this restriction can be relaxed again?

About this issue

  • Original URL
  • State: open
  • Created 7 months ago
  • Reactions: 1
  • Comments: 16 (8 by maintainers)

Commits related to this issue

Most upvoted comments

@Janpot would you be willing to work on a PR with this?

I won’t in the near future, but I may pick this up at some point if it doesn’t get implemented.

I have not considered this yet, actually. If we can prevent prototype pollution with this, i’d be happy to! @Janpot would you be willing to work on a PR with this?

No, the parsing side reads the metadata to find the original prototype / constructor. The exception you’re seeing was added in response to https://github.com/blitz-js/superjson/pull/267 - we’re trying to catch invalid inputs on parsing, not on serialisation. Otherwise you’ll store something in your database, only to realise that you can’t retrieve it anymore when parsing.