feat: avoid prototype pollution

status-im · Feb 17, 2019 · 0fcefee · 0fcefee
1 parent 104fd86
commit 0fcefee
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -84,6 +84,7 @@
     "async": "^2.6.1",
     "big.js": "^5.2.2",
     "bigint-buffer": "^1.1.2",
+    "bourne": "^1.1.2",
     "browser-process-hrtime": "^1.0.0",
     "chalk": "^2.4.1",
     "commander": "^2.19.0",

diff --git a/src/server.js b/src/server.js
@@ -2,6 +2,7 @@ const express = require('express');
 const bodyParser = require('body-parser');
 const chalk = require('chalk');
 const program = require('commander');
+const Bourne = require('bourne');
 
 program
   .version('0.1.0')
@@ -81,7 +82,7 @@ if(ENABLE_WS){
 
   app.ws('/', function(ws, _req) {
     ws.on('message', function(msg) {
-      provider.sendAsync(JSON.parse(msg), (err, jsonResponse) => {
+      provider.sendAsync(Bourne.parse(msg), (err, jsonResponse) => {
         if (err) {
           console.dir(err);
           ws.send({error: err});

diff --git a/yarn.lock b/yarn.lock
@@ -1496,6 +1496,11 @@ [email protected]:
   dependencies:
     hoek "4.x.x"
 
+bourne@^1.1.2:
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/bourne/-/bourne-1.1.2.tgz#e290b5bd7166635632eaf8ef12b006b2d4a75b83"
+  integrity sha512-b2dgVkTZhkQirNMohgC00rWfpVqEi9y5tKM1k3JvoNx05ODtfQoPPd4js9CYFQoY0IM8LAmnJulEuWv74zjUOg==
+
 brace-expansion@^1.1.7:
   version "1.1.11"
   resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"