add nullPrototype option, improve performance #2
Conversation
Co-authored-by: Manuel Spigolon <[email protected]>
Co-authored-by: Manuel Spigolon <[email protected]>
Co-authored-by: Manuel Spigolon <[email protected]>
|
wait please. I am currently implementing your proposal, and trying to get it back to 100% test coverage |
|
@Eomm ready |
mcollina
left a comment
mcollina
left a comment
There was a problem hiding this comment.
I'm not sure exactly why are we adding this here. Offering prototype pollution protection is asking for security researchers to find holes in this algorithm. I would rather avoid the problem if we don't need it elsewhere.
|
I added it here, because when we merge two json schemas and they could theoretically contain the key prototype or constructor than merging it into a normal Object would result in prototype pollution. What is your concern? If you dont set nullPrototype you have normal prototype pollution. |
|
JSON schemas are code. There is nothing to worry about prototype pollutions. |
|
Please decide. I will then just take the performance improvements to the master branch |
|
@mcollina |
|
What's the link about? JSON Schema should be treated as code, see https://www.fastify.io/docs/latest/Reference/Validation-and-Serialization/. Neither AJV nor fast-json-stringify are to be considered safe against malicious schemas. |
|
Ah now I get what you mean with "Has to be handled like code". Should I close this PR? |
Maybe I'm not understanding the issue. I think those properties are allowed in JSON Schemas, aren't them?
|
|
I just fear that fast-json-stringify will not be able to handle those keys when doing merges on the schema, which are simple objects. |
3 participants
If you have Objects were you want to allow also prototype and constructor as valid keys without having the risk of prototype pollution, you have to create Objects with prototype set to null. This PR adds the nullPrototype option. It also improves the performance, by avoiding creating unnecessary intermediary Objects