dandri/Draupnir
1
0
Fork 0
mirror of https://github.com/the-draupnir-project/Draupnir.git synced 2026-03-30 19:05:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use json reviver in express.json() middleware. (#913)

Browse Source
This commit is contained in:
Gnuxie
2025-06-24 13:49:04 +01:00
committed by GitHub
parent 5b445d273e
commit 5565ef3bc7
2 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/utils.ts
View File

@@ -515,10 +515,18 @@ function patchMatrixClientForRetry() {
let isMatrixClientPatchedForPrototypePollution = false;
export function jsonReviver<T = unknown>(key: string, value: T): T | undefined {
if (key === "__proto__" || key === "constructor") {
return undefined;
} else {
return value;
switch (key) {
case "__proto__":
case "constructor":
case "prototype":
case "toString":
case "valueOf":
case "hasOwnProperty":
case "__defineGetter__":
case "__defineSetter__":
return undefined;
default:
return value;
}
}

3
src/webapis/WebAPIs.ts
View File

@@ -21,6 +21,7 @@ import {
} from "@the-draupnir-project/matrix-basic-types";
import { Logger, Task } from "matrix-protection-suite";
import { SynapseHttpAntispam } from "./SynapseHTTPAntispam/SynapseHttpAntispam";
import { jsonReviver } from "../utils";
const log = new Logger("WebAPIs");
@@ -41,7 +42,7 @@ export class WebAPIs {
private readonly synapseHTTPAntispam: SynapseHttpAntispam | undefined
) {
// Setup JSON parsing.
this.webController.use(express.json());
this.webController.use(express.json({ reviver: jsonReviver }));
this.synapseHTTPAntispam?.register(this.webController);
}