-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Code Injection Vulnerability in -d Argument #148
Comments
Thanks! Sorry for the delay.
This was added in #26 to support handling escapes. Specifically the example case was to handle wanting TSV output, e.g.:
without that patch:
|
Actually that fails tests. Specifically the issue is that with
For example, with current code:
and with the patch from #150 using JSON.parse:
I think ultimately using JSON.parse is a satisfactory change (supporting only JSON escapes in a tool called
|
Replace eval with JSON.parse This handles the code injection vuln in `-d DELIM`, but introduces a backward incompatibility because JSON escapes are a subset of JavaScript escapes. Co-authored-by: ready-research <72916209+ready-research@users.noreply.github.com> Refs: #148
json@11.0.0 released today with this fix. Thanks. |
If attackers or malicious users can control
-d
argument, which seems harmless, they can execute arbitrary JavaScript code.PoC
Detail
It use
_parseString
function to process-d
argument, which use eval to evaluate.json/lib/json.js
Lines 126 to 130 in 27e1ad7
And we can simply escape those
replace
and execute our malicious code now.For example, if we use
-d '""+console.log(1) //'
as an argument, then it will eval"\""+console.log(1) //"
, which means "a string with a double quote concat with the return value ofconsole.log
.Postscript
Well, actually I don't understand why we need to call
_parseString
function, I think directly use-d
argument input as delimiter is enough 🤔The text was updated successfully, but these errors were encountered: