[security] JSON Filter would return any property from an object

[jeremiergz]

There is to my understanding quite a big security risk when using this middleware.

If we use some kind of POJO with a toJSON function that would have only visible fields returned during JSON stringifying, this toJSON function will be removed from the object when going through json-filter. Therefore, let's imagine this case:

class User {
    constructor(props) {
        this.email = props.email;
        this.id = props.id;
        this.password = props.password;
    }

    toJSON() {
        return {
            email: this.email,
            id: this.id,
        };
    }
}

In toJSONmethod, the password property is removed but it exists in the object itself.

Now, if a request such as http://host:port/users/userID?filter=password is sent, the middleware will see a property password and return it.

My suggestion would be to use something like const hasJSONifier = typeof body.toJSON === 'function'; and if true, apply it before going through the reduce function.