koajs / json-filter Goto Github PK

Not really an Issue but, why yield *next; when there is already delegation in koa itself?

There is to my understanding quite a big security risk when using this middleware.

If we use some kind of POJO with a toJSON function that would have only visible fields returned during JSON stringifying, this toJSON function will be removed from the object when going through json-filter.
Therefore, let's imagine this case:

class User {
    constructor(props) {
        this.email = props.email;
        this.id = props.id;
        this.password = props.password;
    }

    toJSON() {
        return {
            email: this.email,
            id: this.id,
        };
    }
}

In toJSONmethod, the password property is removed but it exists in the object itself.

Now, if a request such as http://host:port/users/userID?filter=password is sent, the middleware will see a property password and return it.

My suggestion would be to use something like const hasJSONifier = typeof body.toJSON === 'function'; and if true, apply it before going through the reduce function.

Hi @visionmedia, I've been following the koajs project, saw this middleware and just wanted to mention that if you'd like to extend json-filter to also be able to filter parts from deep within objects, you may like json-mask:

Here's a simple example:

var mask = require('json-mask');
var body = [
  {
    name: 'tobi',
    packages: 5,
    friends: ['abby', 'loki', 'jane'],
    location: {
      id: '342',
      name: 'London'
    }
  },
  {
    name: 'loki',
    packages: 2,
    friends: ['loki', 'jane'],
    location: {
      id: '62',
      name: 'New York'
    }
  }
];
var filter = 'name,location/name';

console.log(
  mask(body, filter)
);

Out:

[ { name: 'tobi', location: { name: 'London' } },
  { name: 'loki', location: { name: 'New York' } } ]

It's a tiny lib; no dependencies.

lolzzz....

TypeError: simpleJSONFilter is not a constructor

//code.jquery.com/jquery-1.11.3.min.js
//require.js

var simpleJSONFilter;

define(function (require) {
simpleJSONFilter = require('index.js');
});
var sjf = new simpleJSONFilter();

var data = {
one: {
    id: 1,
    name: 'Hiro Protagonist',
    age: 27
},
two: {
    id: 2,
    name: 'Y.T.',
    age: 16
},
three: {
    id: 3,
    name: 'Raven',
    age: 40,
},
four: {
    id: 4,
    name: 'Uncle Enzo',
    age: 80
},
five: {
    id: 5,
    name: 'Fisheye',
    age: 50
}

};

var filter = {id: 1};
var result = sjf.exec(filter, data); // Returns {one: {id: 1,name: 'Hiro Protagonist',age: 27}}

console.log(result);

🏖