CODEWITHSUNDEEP
javascripttypescriptdelete-operator
The Cors Error
The Cors Error

Reputation: 23

Secure way to sanitize an object (javascript)?

In order to avoid the JavaScript delete operator (ref:https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Operators/delete) I am currently using object destructuring to get rid of private properties:

//sample helper-function in ts

const sanitizeUser = (user: User): UserSanitized => {
                const { googleData, ...rest } = user
                return rest
            }

My question is, if the return value sanitizeUser can be securely used, without the possibility to recover the googleData property.

Upvotes: 0

Views: 1494

Answers (1)

T.J. Crowder
T.J. Crowder

Reputation: 1074028

You can be sure that the object returned by sanitizeUser will not have the googleData property. That probably means there's no way to get to that property's value from that "sanitized" object, but that depends entirely on the User object. If the User object has any properties that refer back to it (as is sometimes the case with parent/child relationships), then the sanitized object returned by sanitizeUser will have that property too — and it will still refer to the original User object, so it would be possible to get to googleData via that property.

Here's an example of that using equivalent JavaScript code:

const sanitizeUser = (user/*: User*/)/*: UserSanitized*/ => {
    const { googleData, ...rest } = user;
    return rest;
};

const user = {
    googleData: "secret data!",
};
user.self = user;

const sanitized = sanitizeUser(user);
console.log(sanitized.self.googleData); // "secret data!"

But if the User object doesn't have anything referring back to itself (directly or indirectly), then no, the sanitized object is fine and there's no way to get back to the googleData property from it.

Upvotes: 2

Related Questions