Why Don't Newer Versions Of Node Remove __proto__ From Request Body?

When I send a PUT request to my express server, req.body sometimes has a __proto__ property, and other times not. Using node 0.10.26 and express 3.2.3: When I put {'a':'b', '__pr

Solution 1:

Neither express nor node are responsible for this behavior. This has actually been changed a long time ago in V8, for compatibility and spec conformance.

• Old behavior (__proto__ is stripped):

  > var x = JSON.parse('{"__proto__":[]}');
  > x.hasOwnProperty('__proto__');
  false
  

• New behavior (__proto__ is not stripped):

  > var x = JSON.parse('{"__proto__":[]}');
  > x.hasOwnProperty('__proto__');
  true
  

Sources :

• https://code.google.com/p/chromium/issues/detail?id=115055
• https://code.google.com/p/v8/issues/detail?id=1310

Answer :

Like you said, you can write a simple middleware to strip the property yourself:

function stripProto(req, res, next) {
  delete req.body.__proto__;
  next();
}
// ...
app.use(stripProto);