search

jprichardson / node-jsonfile

Easily read/write JSON files.
MIT License
1.2k stars 321 forks source link

Possible Denial of Service #133

Closed SegfaultMasters closed 4 years ago

SegfaultMasters commented 4 years ago

Description: We observed that function writeFileSync() in the file index.js does not have any validation over the input to options parameter may lead to a possibility of Denial of Service or Code Execution if the options parameter is attacker controllable.

Version: 6.0.1

POC Snippet: 

        const jsonfile = require('jsonfile');
        const file = 'any_file.json';
        const obj = { 'any': 'any' };
        jsonfile.writeFileSync(file, obj, { 'fs': 'abc' }, function (err) {
        if (err) console.log(err);
        console.log("Done");
        })

Mitigation: Validate the options.fs parameter with whitelist, such that it only accepts the attributes defined by the package ( Ex: spaces, EOL, flag ).

RyanZim commented 4 years ago

jsonfile is not designed for arbitrary input to the options parameter; anyone allowing a 3rd party to pass the options should implement their own whitelisting/validation.