JSON.parse 的 Node.js 实现

Question

I need to get javascript object from untrusted json.

Initially it comes as string and there are two ways of doing the task: eval() and JSON.parse() .

Where I can see Node.js implementation of JSON.parse , because I'm afraid that it uses eval under the hood and there can be security gaps.

I was trying to check v8 repo and even tried Function.prototype.toSource() in Firefox - no result.

Can anybody provide me with some proofs that I shouldn't worry to use it ?

Answer 1

V8 developer here. JSON.parse does not use eval under the hood -- that's precisely the point of having JSON.parse , and why it's strongly recommended to use that (rather than eval ) for parsing JSON data.

As feeela already pointed out, if you want to verify this yourself, look at the source: https://github.com/v8/v8/blob/master/src/json-parser.cc

Or run an experiment:

var bad_json_data = 'console.log("executed!"); "{foo:1}"';
var o1 = eval(bad_json_data);  // Prints to console.
var o2 = JSON.parse(bad_json_data);  // SyntaxError!

That said, you always have to be careful with untrusted input. Using JSON.parse to convert the JSON string to an object is safe, but afterwards you still have to be careful what you're using that object for (as one random example, its property values could still allow SQL injection attacks if you try to store them in a database).

Answer 2

You cannot parse Functions/Classes as JSON. And if there are functions they would be represented as strings. You can check that if u try:

 const obj = { a: () => console.log("test") } console.log(JSON.stringify(obj)) // prints {}