Open hmoravec opened 3 years ago
We have exactly the same doubts.
Are there any measures done for input sanitation? Especially for regexp? I did not find any in the code.
For RegExp safety, you can change the RegexEngine: var RE2 = require('re2'); const expression = jsonata(str, { RegexEngine: RE2 });
re2 is mentioned in the NodeJS docs: https://nodejs.org/en/learn/asynchronous-work/dont-block-the-event-loop#a-redos-example
https://github.com/uhop/node-re2
However, be warned that re2 is not compatible with all regular expressions.
Im working on https://github.com/adamscybot/modular-jsonata (probably gonna be renamed to jsonata-stack). That will in part try to tackle this problem.
We have API endpoint returning JSON response with default schema in our backend service. We would like to allow the client to specify JSONata expression which would be evaluated on the server and the endpoint would return the transformed JSON.
But we have to be sure there are not any possible security issues, e.g.:
The simplest solution seems to be to check the expression for JSONata commands by checking presence of
$
characters and allow to specify only whitelisted commands, e.g.$.
,$[
and$merge
.Do you see any security threads with this approach or do you have other suggestion?
Would there be possibility to run custom code on the server or to access the environment even if we allowed all JSONata commands? We found e.g. suggestion #88 for adding command to access env vars but it seems not implemented so far.