Fixes #1904. (#1946)

rrayst · predic8 · web-flow · commit 16e838a12f06 · 2025-07-03T11:12:32.000+02:00
* Fixes #1904. * renamed property --------- Co-authored-by: Thomas Bayer <bayer@predic8.de>
diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/json/JsonProtectionInterceptor.java b/core/src/main/java/com/predic8/membrane/core/interceptor/json/JsonProtectionInterceptor.java
@@ -57,7 +57,7 @@ public class JsonProtectionInterceptor extends AbstractInterceptor {
     private int maxKeyLength = 256;
     private int maxObjectSize = 1000;
     private int maxArraySize = 1000;
-
+    private boolean blockProto = true;
 
     public JsonProtectionInterceptor() {
         name = "json protection";
@@ -93,6 +93,10 @@ public void check(JsonToken jsonToken, JsonParser parser) throws JsonProtectionE
                 throw new JsonProtectionException("Exceeded maxObjectSize.",
                                                     parser.currentLocation().getLineNr(),
                                                     parser.currentLocation().getColumnNr());
+            if (blockProto && "__proto__".equals(parser.currentName()))
+                throw new JsonProtectionException("__proto__ found as key.",
+                        parser.currentLocation().getLineNr(),
+                        parser.currentLocation().getColumnNr());
             if (parser.currentName().length() > maxKeyLength) {
                 throw new JsonProtectionException("Exceeded maxKeyLength.",
                                                     parser.currentLocation().getLineNr(),
@@ -366,6 +370,20 @@ public void setMaxArraySize(int maxArraySize) {
         this.maxArraySize = maxArraySize;
     }
 
+    public boolean isBlockProto() {
+        return blockProto;
+    }
+
+    /**
+     * @description Blocks JSON properties with a key of "__proto__" to avoid prototype pollution in Javascript backends.
+     * @default true
+     * @param blockProto
+     */
+    @MCAttribute
+    public void setBlockProto(boolean blockProto) {
+        this.blockProto = blockProto;
+    }
+
     @Override
     public String getShortDescription() {
         return "Protects against several JSON attack classes.";
diff --git a/core/src/test/java/com/predic8/membrane/core/interceptor/json/JsonProtectionInterceptorTest.java b/core/src/test/java/com/predic8/membrane/core/interceptor/json/JsonProtectionInterceptorTest.java
@@ -42,6 +42,7 @@ private static JsonProtectionInterceptor buildJPI(boolean prod) {
         jpi.setMaxKeyLength(10);
         jpi.setMaxObjectSize(10);
         jpi.setMaxArraySize(2048);
+        jpi.setBlockProto(true);
 
         jpi.init(router);
         return jpi;
@@ -229,6 +230,15 @@ public void justNotTooManyTokens() throws Exception {
                 CONTINUE);
     }
 
+    @Test
+    public void protoBlocked() throws Exception {
+        send("{\"__proto__\": {}}",
+                RETURN,
+                1,
+                16,
+                "__proto__ found as key.");
+    }
+
     private void send(String body, Outcome expectOut, Object ...parameters) throws Exception {
         Exchange exc = new Request.Builder()
                 .post("/")
