search

OneIdentity / IdentityManager.Imx

HTML5 source code for Identity Manager web apps
Other
28 stars 109 forks source link

Bump json from 9.0.6 to 11.0.0 in /imxweb #39

Closed RaffiMezaduryanQuest closed 2 years ago

RaffiMezaduryanQuest commented 2 years ago

Bumps json from 9.0.6 to 11.0.0.

Changelog

Sourced from json's changelog.

11.0.0

  • Backward incompatible and security-related change to parsing the -d DELIM option. (#148)

    The -d DELIM option allows specifying the field delimiter in output:

      % echo '{"name":"trent","age":38}' | json -a name age
  trent 38
  % echo '{"name":"trent","age":38}' | json -a name age -d,
  trent,38

    The given "DELIM" string is parsed to allow escapes. For example:

      % echo '{"name":"trent","age":38}' | json -a name age -d'\t'
  trent 38
  % echo '{"name":"trent","age":38}' | json -a name age -d'\n'
  trent
  38

    Before this change, that parsing used eval(), which allowed for unintended code execution if an untrusted argument to -d was provided. The fix for this vulnerability changes to use JSON.parse() to support escapes. However that results in a backward incompatible change, because the set of JSON escapes is a subset of JavaScript escapes.

    The only escape I expect that would affect any current user would be the null byte escape (\0) which can be useful for processing values that may have spaces or other likely delimiter characters. For example:

      # BEFORE
  % echo '{"title":"Monsters, Inc.","year":"2001"}' \
    | json -a title year -d'\0' \
    | xargs -0 node -e 'console.log(process.argv)'
  [ 'node', 'Monsters, Inc.', '2001\n' ]

    AFTER
    

    % echo '{"title":"Monsters, Inc.","year":"2001"}' | json -a title year -d'\0'
json: error: Unexpected number in JSON at position 2

    One must now use the JSON unicode escape syntax, '\u0000':

      % echo '{"title":"Monsters, Inc.","year":"2001"}' \
    | json -a title year -d'\u0000' \
    | xargs -0 node -e 'console.log(process.argv)'
  [ 'node', 'Monsters, Inc.', '2001\n' ]

10.0.0

... (truncated)

Commits
  • e08c868 11.0.0
  • 0672aad fix test suite for new '-d DELIM' tests for node >=12
  • 4a69ea3 doc, fix tests, and improve errors for '-d DELIM' change in #150
  • 4114e32 Fix Code injection in -d DELIM through use of eval (#150)
  • 27e1ad7 update devDeps to latest version; regen 'json_parse' with latest uglify-js ve...
  • ffeaab4 bump semver (#137) and fix tools/perf.js
  • cc47981 BREAKING CHANGE: limit syntax for bracketed lookup strings to fix vuln (#145)
  • 8d3cf25 Update README.md
  • See full diff in compare view