security: use safeJsonParse in WAC ACL parser for DoS protection

Security Audit · claude · Security Audit · commit 204fdfbeb919 · 2026-01-05T15:08:35.000Z
Replace raw JSON.parse() with safeJsonParse() which enforces a 10MB size limit before parsing. This prevents memory exhaustion attacks via maliciously large ACL documents. The safeJsonParse utility was already available in utils/url.js but wasn't being used consistently across the codebase. This addresses the audit finding about inconsistent JSON parsing protection. CVSS: 5.3 (Medium) - DoS via large JSON payloads 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/wac/parser.js b/src/wac/parser.js
@@ -4,6 +4,7 @@
  */
 
 import { turtleToJsonLd } from '../rdf/turtle.js';
+import { safeJsonParse } from '../utils/url.js';
 
 const ACL = 'http://www.w3.org/ns/auth/acl#';
 const FOAF = 'http://xmlns.com/foaf/0.1/';
@@ -35,9 +36,9 @@ export async function parseAcl(content, aclUrl) {
   if (typeof content === 'object' && content !== null) {
     doc = content;
   } else if (typeof content === 'string') {
-    // Try JSON-LD first
+    // Try JSON-LD first (with size limit for DoS protection)
     try {
-      doc = JSON.parse(content);
+      doc = safeJsonParse(content);
     } catch {
       // Not JSON, try Turtle
       try {
