search

flitbit / json-ptr

A complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.
MIT License
93 stars 28 forks source link

`get()` blows up when single quotes are in the path #28

Closed mprast closed 3 years ago

mprast commented 3 years ago

Short repro via REPL using json-ptr 2.0.0:

> const ptr = require('json-ptr')
undefined

> badPointer = new JsonPointer("/I'm/bad")
JsonPointer { path: [ 'I\'m', 'bad' ] }

> badPointer.get({}) // expecting this to return undefined
Thrown:
SyntaxError: Unexpected identifier

> badPointer = new JsonPointer(["I'm", "also", "bad"])
JsonPointer { path: [ 'I\'m', 'also', 'bad' ] }

> badPointer.get({}) // expecting this to return undefined
Thrown:
SyntaxError: Unexpected identifier

Looks like RFC 6901 mentions that quotes must be escaped in paths, but I couldn't find anything in the json-ptr docs that mentioned what is or isn't escaped by the library. Worth mentioning that it seems to work with other tricky inputs - for example, forward slashes in paths seem to be handled correctly.

cerebralkungfu commented 3 years ago

This bug allows arbitrary code execution as reported in #30