search

flightcontrolhq / superjson

Safely serialize JavaScript expressions to a superset of JSON, which includes Dates, BigInts, and more.
https://www.flightcontrol.dev?ref=superjson
MIT License
4.01k stars 87 forks source link

SuperJSON will serialize into objects that it can't deserialize #266

Closed tmcw closed 11 months ago

tmcw commented 11 months ago

Testcase, run in Deno, but the same will work in Node with the packages installed and without the npm: prefixes:

/** @jsxImportSource https://esm.sh/preact */
import SuperJSON from "npm:superjson";

const value = (
  <div>
    <h1>Hello, world!</h1>
  </div>
);

console.log(SuperJSON.serialize(value));
console.log(SuperJSON.deserialize(SuperJSON.serialize(value)));

SuperJSON has a validatePath method that makes sure it isn't reaching into constructors or other dangerous properties:

https://github.com/blitz-js/superjson/blob/main/src/accessDeep.ts#L14-L24

But it doesn't have the same on the generation side, so it can't round-trip objects with these properties. A distilled testcase now that I'm looking into it:

SuperJSON.deserialize(SuperJSON.serialize({ constructor: undefined }))

This is triggered because this serializes to

{
  json: { constructor: null },
  meta: { values: { constructor: [ "undefined" ] } }
}

I don't know exactly what a better behavior would be - possibly sanitizing these properties in serialized output, or skipping them instead of throwing in deserialization?