RI-7973 Enhance JSON parse to safely handle prototype pollution

[valkirilov]

What

Update JSON parser configuration to allow constructor and __proto__ properties to be preserved during JSON parsing

Note: Since RedisInsight displays arbitrary user data from Redis, is it safe to do so?

Reference #5412

Testing

1. Create a JSON key with such proprietary values

JSON.SET mykey $ '{"constructor":"example value"}'

2. Try to open the key on the Browser page

Before	After

---

Note

Ensures JSON values with potentially dangerous property names are preserved when reading from RedisJSON.

• Configure JSONBigInt in rejson-rl.service.ts with protoAction: 'preserve' and constructorAction: 'preserve'
• Add unit tests in rejson-rl.service.spec.ts verifying handling of constructor, "__proto__" (as raw string), and nested occurrences during getJson

^{Written by Cursor Bugbot for commit 23ebeab. This will update automatically on new commits. Configure here.}

[github-actions]

Code Coverage - Backend unit tests

St.❔	Category	Percentage	Covered / Total
🟢	Statements	92.42%	13988/15136
🟡	Branches	74.42%	4280/5751
🟢	Functions	86.01%	2151/2501
🟢	Lines	92.23%	13375/14502

Test suite run success

3017 tests passing in 288 suites.

Report generated by 🧪jest coverage report action from 23ebeab

[github-actions]

Code Coverage - Integration Tests

Status	Category	Percentage	Covered / Total
🟢	Statements	81.51%	16351/20059
🟡	Branches	64.6%	7424/11491
🟡	Functions	70.4%	2289/3251
🟢	Lines	81.15%	15385/18958

[pd-redis]

We have had 2 CVEs in the last couple of months related to loose parsing of user data - React Server Components and N8N, both of them allowed arbitrary code execution because of interpreting strings (JSON) as javascript. Therefore, my opinion is that ANY parsing of JS keywords (such as constructor) should be avoided