Security issue

[MarcinHoppe]

I'm a member of the Node.js Ecosystem Security Working Group and we received a report of a vulnerability in this module.

We tried inviting the author by e-mail but received no response so I'm opening this issue and inviting anyone with commit and npm publish rights to collaborate with us on a fix.

[rezonant]

Hello from the jsonpath community-- it seems clear that the original author doesn't have time for this but we are using jison to generate the parser. Can you give us an idea of the risk of this security issue?

[MarcinHoppe]

The issue has already been disclosed: https://hackerone.com/reports/690010. We will be requesting a CVE for it.

[metasansana]

@MarcinHoppe the exploit example seems legit but it looks to me like that's dead code. That said, this project desperately needs TLC.

[MarcinHoppe]

That's true, we have been unable to get in touch with the maintainer and had to disclose the vulnerability without the fix available.

[skanaar]

The issue is a false positive. If you use Jison via NPM you will not be exposed to the offending code.

The steps to reproduce explicitly says that you have to git clone some other code than the published package.

[skanaar]

The NPM security team has now removed advisory 1566 which is their name of the https://hackerone.com/reports/690010 report.

They did this as the report is a false positive, the npm package does not contain the reported vulnerability.

[skanaar]

GitHub has also removed their security advisory associated with this report.

@MarcinHoppe perhaps this issue can be closed?

[MarcinHoppe]

@skanaar yes! I will update the HackerOne report.