Comments (8)
The NPM security team has now removed advisory 1566
which is their name of the https://hackerone.com/reports/690010 report.
They did this as the report is a false positive, the npm package does not contain the reported vulnerability.
from jison.
@skanaar yes! I will update the HackerOne report.
from jison.
Hello from the jsonpath community-- it seems clear that the original author doesn't have time for this but we are using jison to generate the parser. Can you give us an idea of the risk of this security issue?
from jison.
The issue has already been disclosed: https://hackerone.com/reports/690010. We will be requesting a CVE for it.
from jison.
@MarcinHoppe the exploit example seems legit but it looks to me like that's dead code. That said, this project desperately needs TLC.
from jison.
That's true, we have been unable to get in touch with the maintainer and had to disclose the vulnerability without the fix available.
from jison.
The issue is a false positive. If you use Jison via NPM you will not be exposed to the offending code.
The steps to reproduce explicitly says that you have to git clone
some other code than the published package.
from jison.
GitHub has also removed their security advisory associated with this report.
@MarcinHoppe perhaps this issue can be closed?
from jison.
Related Issues (20)
- jison: command not found HOT 1
- %empty directive doesn't execute semantic actions, /* empty */ does HOT 2
- Using "constructor" as a literal causes a parse error
- Try online version should be updated to the latest current version
- It generates incorrect FOLLOWs and parsing table when using LL(1) algorithm.
- Security Notice & Bug Bounty - Command Injection - huntr.dev HOT 1
- Create jison grammar
- Jison not assuming correct grammar HOT 1
- Generating code from parser result and grammar
- Missing tag
- Insufficient input validation in npm package jison <= 0.4.18 may lead to OS command injection attacks.
- A pathological example that blows up
- Tests generate SyntaxError: Function statements require a function name HOT 2
- Docs are offline HOT 7
- LALR(1) implementation is not LALR(1)
- Yacc/Lex compatible online editor/tester
- EOF token is returned only once in recursive grammar
- Enhance `showPosition()` to Accurately Display Error Position by Line Number
- Bug in docs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jison.