Open mvayngrib opened 5 months ago
ChALkeR
commented
2 months ago Parsing json bodies does not pollute the prototype
Traversing response bodies and removing arbitrary values is... suboptimal and can cause issues on it's own
Instead we should perhaps add schemas for expected APIs and use those shemas as shapers, removing everything unexpected
So we could do a fetch-with-schema and require using that
mvayngrib
commented
2 months ago interesting idea, but kind of limiting. It prevents us from adding new fields without breaking old clients 🤔
ChALkeR
commented
2 months ago @mvayngrib no, it doesn't -- old clients will just have new fields removed
so this only will break if some fields client expects would be of unexpected type ... which would likely break the clients anyway, just in a less visible way
also, we had this idea for a while 😉 so it's not new
mvayngrib
commented
2 months ago old clients will just have new fields removed
ah i see. Still, this seems like something we'll need to slowly adopt across a large codebase. I was hoping we could secure JSON.parse itself better in a single place. What side effects could there be from removing '__proto__' from parseable fields?
e.g. https://github.com/fastify/secure-json-parse (h/t @633kh4ck), but maybe something more performant per platform, e.g. removing
__proto__on the native side in react native