search

flitbit / json-ptr

A complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.
MIT License
91 stars 28 forks source link

Arbitrary Code Execution in JsonPointer.get #30

Closed zpbrent closed 3 years ago

zpbrent commented 3 years ago

Hey maintainers @cehoffman @mortonfox @treybrisbane @chrishalbert , I have opened a PR (https://github.com/418sec/json-ptr/pull/3) which will fix the potential arbitrary code execution vulnerability in json-ptr. Please take a review.

If you are fine with that fix, please comment @huntr-helper - LGTM at https://github.com/418sec/json-ptr/pull/3, or if you need any modifications, please also comment on that PR. Thanks.

Ref: https://github.com/418sec/json-ptr/pull/3

cerebralkungfu commented 3 years ago

For anyone who comes across this issue, the PR, or the associated vulnerability on Huntr or elsewhere. This is a legit and valid vulnerability that will be patched.

If you are a programmer using json-ptr, it is possible for you to hack yourself by passing arbitrary code to the JsonPointer's .get() method. See the referenced PR's PoC to learn how to hack yourself.

If your code accepts user input, does not sanitized the user's input, and forwards the user's input to the JsonPointer's .get() method, then an unscrupulous user could execute arbitrary code in your program.

Never Send Un-sanitized User Input To json-ptr

The vulnerability in this library is my oversight. The vulnerability in your program is your oversight.

cerebralkungfu commented 3 years ago

It appears that this is a duplicate of #28, even though it is a side-affect of that bug.

cerebralkungfu commented 3 years ago

Fixed with the original report #28.