dchester / jsonpath

Query and manipulate JavaScript objects with JSONPath expressions. Robust JSONPath engine for Node.js.
MIT License
1.35k stars 216 forks source link

New secure jsonpath-sandbox fork #140

Open movitto opened 4 years ago

movitto commented 4 years ago

Hello Javascripters!

While not an issue per-se, this topic may be of interest to those looking to use jsonpath from a nodejs environment to process arbitrary / user-specified expressions. After analysing the source code it became apparent that this library is not the best to do so as the builtin expression evaluation mechanism uses static-eval which according to that project's readme:

It is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.

This is elaborated in a recent issue comment by one of the project authors @goto-bus-stop:

If you allow those function calls, someone can craft JS code that will access the prototype of those functions, which is the Function constructor, which is eval (real eval). There are many ways to do that, so while we've got checks in place to prevent some of those cases, it's likely that there are other undiscovered cases. static-eval was built for use in build pipelines on trusted code, so here it makes more sense to just explicitly be unsafe rather than try to plug all the holes forever

So while this jsonpath library uses static-eval, one cannot sleep soundly at night knowing that they are fully safe from malicious user input. Enter jsonpath-sandbox..

After evaluating options, we decided that the most suitable solution would be to modify the jsonpath backend so as to dispatch to an alternative / safe expression interpreter that would allow us to process arbitrary user input. For this we used the v8-sandbox library which wraps the V8 Javascript engine from Google, simply exposing the built-in/isolated Javascript envrionment and nothing more. Thus nothing from NodeJS is exposed and we can now process JSONPath expressions without having to worry about malicious code injection.

There are a few caveats though,

The tests have be fully updated and work 100%, verifying all original JSONPath functionality so this should be good to go, though some community testing and feedback would be more than appreciated (we'd more than welcome issues and PRs on our fork). We hope this helps others in the situation we are, be sure to follow Dev Null Productions (our startup) for tools and services which use this library in production in the near future!

movitto commented 4 years ago

jsonpath-sandbox 1.0.3 was just pushed to github and npm including performance optimizations and a a new 'complexity' function returning quantitative representation of expression complexity