Comments (2)
I concur, this is a vulnerability. Repro on the CLI:
[13:40:35 trentm@purple:~/tm/json (git:master)]
% ls hi.txt
ls: hi.txt: No such file or directory
[13:40:39 trentm@purple:~/tm/json (git:master rv:1)]
% echo '{"foo": "bar"}' | json '{[this.constructor.constructor("return process")().mainModule.require("child_process").execSync("touch hi.txt").toString()]:1}'
[13:40:51 trentm@purple:~/tm/json (git:master)]
% ls hi.txt
hi.txt
Internally parseLookup
is using vm.runInNewContext to eval the lookup string between the brackets.
I propose a breaking change to json
(to be released as version 10.0.0) that would limit the supported syntax for bracketed lookup strings such that eval'ing is not necessary.
Here is the attempted repro result after my current draft of changes:
[13:44:25 trentm@purple:~/tm/json (git:master)]
% ls hi.txt
ls: hi.txt: No such file or directory
[13:44:27 trentm@purple:~/tm/json (git:master rv:1)]
% echo '{"foo": "bar"}' | ./lib/json.js '{[this.constructor.constructor("return process")().mainModule.require("child_process").execSync("touch hi.txt").toString()]:1}'
/Users/trentm/tm/json/lib/json.js:892
throw new Error(format('invalid bracketed lookup ' +
^
Error: invalid bracketed lookup string: "[this.constructor.constructor(\"return process\")().mainModule.require(\"child_process\").execSync(\"touch hi.txt\").toString()]" (must be of the form ['...'], ["..."], or [`...`])
at parseLookup (/Users/trentm/tm/json/lib/json.js:892:31)
at /Users/trentm/tm/json/lib/json.js:1367:16
at Array.map (<anonymous>)
at main (/Users/trentm/tm/json/lib/json.js:1366:30)
at Object.<anonymous> (/Users/trentm/tm/json/lib/json.js:1749:5)
at Module._compile (internal/modules/cjs/loader.js:778:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
at Module.load (internal/modules/cjs/loader.js:653:32)
at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
at Function.Module._load (internal/modules/cjs/loader.js:585:3)
[13:44:38 trentm@purple:~/tm/json (git:master rv:1)]
% ls hi.txt
ls: hi.txt: No such file or directory
from json.
[email protected] is published to npm, and a "10.0.0" git tag added.
Thanks for the report!
from json.
Related Issues (20)
- Possibility to skip validation? or to support json5 (that supports comments in json) HOT 1
- How to reverse `--items` back to object form? (filter sub-objects)
- colon and semicolon are not allowed as keys HOT 2
- pretty printing does not support tabs
- fix bug json HOT 1
- doesn't work in powershell
- Failing to parse a GeoJSON that is valid elsewhere?
- Cannot set a value for a key with a period HOT 1
- List indexing not working HOT 1
- Potential Code Injection Vulnerability in -d Argument HOT 3
- Can I remove properties in a json file? HOT 2
- How to print sub-items of a key? HOT 3
- command line if value has a space lookups cannot be specified with in-place editing
- How to process key with colon and other characters? HOT 3
- json parse get wrong anwser HOT 1
- Who to contact for security issues
- having problems on trying to change this.obj['name.ext'].value
- How can I replace the value if the key name is with a dot? HOT 2
- update docs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from json.