Secure JSON parse

I’ve built a web framework for workers with an API similar to popular node libraries like koa/express/fastify. This framework is part of a suite of packages optimized for the constraints of Cloudflare Workers.

One thing I noticed while researching web frameworks was many of the node web frameworks use secure-json-parse to avoid prototype poisoning from malicious request bodies.

Is it a good idea to use secure-json-parse in a Cloudflare Worker? Wondering if JSON.parse, Request.json(), and friends are secure-by-default in workers?

1 Like

Very good question, I’m curious as to the answer. I’ve added a live interface to all input and output in order to avoid prototype poisoning, but it would be really nice not having to worry about it for every fetch request.

Workers’ JSON parser is provided by V8, so it’s exactly the same as the built-in parser in Chrome and Node.js.

I don’t think we’re likely to try to customize it. From my point of view, prototype poisoning is equally a problem in Node, Chrome, and Workers, so if it’s a problem worth fixing, the fix should be in V8. It would be confusing for each platform to start offering its own solutions to this.

Meanwhile, secure-json-parse looks like it should work fine in Workers, so you can of course use that if you want.

My take, though: Even with a “secure” parser, you should probably avoid using Object.assign() to copy attacker-provided JSON objects altogether. It seems to me that overwriting __proto__ is probably not the only way this can go badly…

4 Likes