Backward incompatible and security-related change to parsing the
-d DELIM option. (#148)
The -d DELIM option allows specifying the field delimiter in output:
% echo '{"name":"trent","age":38}' | json -a name age
trent 38
% echo '{"name":"trent","age":38}' | json -a name age -d,
trent,38
The given "DELIM" string is parsed to allow escapes. For example:
% echo '{"name":"trent","age":38}' | json -a name age -d'\t'
trent 38
% echo '{"name":"trent","age":38}' | json -a name age -d'\n'
trent
38
Before this change, that parsing used eval(), which allowed for unintended
code execution if an untrusted argument to -d was provided. The fix for
this vulnerability changes to use JSON.parse() to support escapes. However
that results in a backward incompatible change, because the set of
JSON escapes is a subset of
JavaScript escapes.
The only escape I expect that would affect any current user would be the
null byte escape (\0) which can be useful for processing values that may
have spaces or other likely delimiter characters. For example:
# BEFORE
% echo '{"title":"Monsters, Inc.","year":"2001"}' \
| json -a title year -d'\0' \
| xargs -0 node -e 'console.log(process.argv)'
[ 'node', 'Monsters, Inc.', '2001\n' ]
AFTER
% echo '{"title":"Monsters, Inc.","year":"2001"}' | json -a title year -d'\0'
json: error: Unexpected number in JSON at position 2
One must now use the JSON unicode escape syntax, '\u0000':
% echo '{"title":"Monsters, Inc.","year":"2001"}' \
| json -a title year -d'\u0000' \
| xargs -0 node -e 'console.log(process.argv)'
[ 'node', 'Monsters, Inc.', '2001\n' ]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/homebase-id/homebase-id-app/network/alerts).
Bumps the npm_and_yarn group with 1 update in the /packages/react-native-gifted-chat directory: json.
Updates
json
from 10.0.0 to 11.0.0Changelog
Sourced from json's changelog.
Commits
e08c868
11.0.00672aad
fix test suite for new '-d DELIM' tests for node >=124a69ea3
doc, fix tests, and improve errors for '-d DELIM' change in #1504114e32
Fix Code injection in-d DELIM
through use of eval (#150)27e1ad7
update devDeps to latest version; regen 'json_parse' with latest uglify-js ve...ffeaab4
bump semver (#137) and fix tools/perf.jsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show