elasticsearch-js: Query fails with "DeserializationError: Object contains forbidden prototype property" when the response object has a "constructor" key

šŸ› Bug Report

Query fails with DeserializationError: Object contains forbidden prototype property.

This started happening when we upgraded from v7.3 to v7.11. This PR seems to be the cause: https://github.com/elastic/elasticsearch-js/pull/1110

To Reproduce

Issue a query that results in constructor being an object key in the JSON response. In our case it was detected in a request to the Term Vectors API, but I guess it can happen in many other places, like in an aggregation named constructor, etc. Example from the Term Vectors API response that affected us:

{
  "constructor": {
    "doc_freq": 1,
    "ttf": 1,
    "term_freq": 1
  }
}

See https://github.com/elastic/elasticsearch-js/pull/1110#issuecomment-790479130 for a full example.

Expected behavior

No errors thrown from a perfectly valid response.

Your Environment

  • node version: 14
  • @elastic/elasticsearch version: 7.11
  • os: Linux

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19 (8 by maintainers)

Most upvoted comments

I really think this is the wrong approach here, and that the potential vulnerability that tries to avoid is completely out of the scope of a client lib like this. I wonder if popular requests libraries like node-fetch or axios would throw similar errors when calling an API with constructor as key in the response (or maybe the browsers standard fetch API?). Or a database client library failing to query a table with a column named constructor. Iā€™d be puzzled, just like I was (am) when I came across this. Quite disappointing.

+1
diegomansua on Mar 8, 2021
Read more comments on GitHub
← elasticsearch-js: DeserializationError: Unexpected end of JSON input
elasticsearch-js: Scroll api 5.3 throwing error →