6

I'm trying to read a JSON array. Every time i try to read the array/value by passing JSON object key like this-

json[key]

It shows a Eslint error-

[eslint] Generic Object Injection Sink (security/detect-object-injection)

I understand its a security warning because the key may not exists. But how do i resolve this warning? Is there any easier way to read the Json object. My plan is to pass the "key" to the function and read the json based on the key.

saz
  • 823
  • 4
  • 13
  • 25
  • 1
    From the Readme: "This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human." I read that as "you're not supposed to fix them all". – Duncan Thacker Jul 10 '18 at 20:38
  • Disable this rule then? – Estus Flask Jul 10 '18 at 21:31
  • Sometimes it is required, when an outsource (like user input) could be involved. Check @viveksharma 's answer here: https://stackoverflow.com/a/55701580 – Tzahi Leh Sep 15 '20 at 13:19
  • 1
    This post explains why it can be a security issue: https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/the-dangers-of-square-bracket-notation.md In my opinion, you can `eslint-disable` it when you are (sure you are) not using user input for the `key` – publicJorn Dec 10 '20 at 12:33
  • can anyone help me with a question like this? [https://stackoverflow.com/questions/72295517/node-js-generic-object-injection-sink-on-eslint-using-for-iteration](https://stackoverflow.com/questions/72295517/node-js-generic-object-injection-sink-on-eslint-using-for-iteration) – r31sr4r May 18 '22 at 22:04

3 Answers3

16

You are searching for an ES lint error fix:

Here is the syntax for it

json [`${key}`]

Example:

const obj = { 
    eventName: 'Music event', 
    landingPic: 'landing.jpg',
    eventPic0: 'pic0.jpg',
    eventPic1: 'pic1.jpg',
    eventPic2: 'pic2.jpg',
    eventPic3: 'pic3.jpg',
    artist: 'Elie'
};

// array of keys which need to  be read
const arrayOfKey = ['landingPic', 'eventPic0', 'eventPic1',  'eventPic2',  'eventPic3'];

// let's read the value by a key in array
arrayOfKey.forEach( key => {
    const value = obj[`${key}`];
    console.log(value);
});
Divya Sakariya
  • 369
  • 3
  • 9
  • 1
    This may fix the ES Lint error, but this is a security issue. Does this help with that issue ??? – stefantigro Jul 28 '20 at 09:58
  • 1
    Apparently, line '12' (const arrayOfKey ...) is a whilelist of allowed keys. So yes, it helps with the security issue. – Robson William Feb 04 '21 at 15:52
  • Nice. Also this will convert the value of the key to a string. – Gabriel Anderson Sep 24 '21 at 11:14
  • 1
    You may as well just use `eslint-disable-next-line security/detect-object-injection` since you are writing code to make it safe. The language hack of converting it using back ticks (`\`${key}\``) is likely a bug in the eslint rule that should be fixed. – Juan Mendes Mar 09 '22 at 15:04
1

What its trying to say is that using this notation:

  • You are able to modify even prototype properties of the object which is considered dangerous
  • By being able to modify everything, you are also able to modify the constructor (method/function) so it may be injected and then exploited.

The subject is described analytically here, providing a simple example:

https://web.archive.org/web/20150430062816/https://blog.liftsecurity.io/2015/01/15/the-dangers-of-square-bracket-notation

Andreas
  • 349
  • 1
  • 3
  • 7
1

Unsure why, but typecasting the access parameter silences the error. Guessing this has something to do with sanitation being able to prevent pollution.

const myThing = myObj[String(key)]
const myThing = myObj[key as string]
Geoff Seemueller
  • 11
  • 1