search

JSONPath-Plus / JSONPath

A fork of JSONPath from http://goessner.net/articles/JsonPath/
Other
958 stars 169 forks source link

Secure by default #182

Closed rluvaton closed 1 year ago

rluvaton commented 1 year ago

Currently the JavaScript evaluation is enabled by default which is a bad practice, I know this project is not maintained anymore but given the case I would like to know if you would merge a PR that disable the evaluation by default

JavaScript evaluation is very dangerous if coming from user input (even if it's running in a sandbox) for example, the following path will cause Heap out of Memory error:

const { JSONPath } = require('jsonpath-plus');

JSONPath({
  json: { nonEmpty: 'object' },
  path: '$..[?(' +
'(function a(arr){' +
'a([...arr, ...arr])' +
'})([1]);)]'
});
brettz9 commented 1 year ago

Yes, normally, I'd agree that a project should go with safe-by-default, but as this project has been long around, derived from jsonpath which also had the same issue, I think we would be taking away too much functionality from users accustomed to the project if we are not providing at least a subset of filtering expressions without eval. Until such time as we can have a safe sandbox on by default, one can opt into preventEval.

80avin commented 3 months ago

Hey @rluvaton , not sure if relevant now but JSONPath-Plus is now safe by default. And the expression you entered fails with error

index-browser-umd.cjs:1694 Uncaught Error: Unexpected "{" at character 16