Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

get() blows up when single quotes are in the path #28

Closed
mprast opened this issue Mar 24, 2021 · 1 comment
Closed

get() blows up when single quotes are in the path #28

mprast opened this issue Mar 24, 2021 · 1 comment
Assignees
Labels

Comments

@mprast
Copy link

mprast commented Mar 24, 2021

Short repro via REPL using json-ptr 2.0.0:

> const ptr = require('json-ptr')
undefined

> badPointer = new JsonPointer("/I'm/bad")
JsonPointer { path: [ 'I\'m', 'bad' ] }

> badPointer.get({}) // expecting this to return undefined
Thrown:
SyntaxError: Unexpected identifier

> badPointer = new JsonPointer(["I'm", "also", "bad"])
JsonPointer { path: [ 'I\'m', 'also', 'bad' ] }

> badPointer.get({}) // expecting this to return undefined
Thrown:
SyntaxError: Unexpected identifier

Looks like RFC 6901 mentions that quotes must be escaped in paths, but I couldn't find anything in the json-ptr docs that mentioned what is or isn't escaped by the library. Worth mentioning that it seems to work with other tricky inputs - for example, forward slashes in paths seem to be handled correctly.

@cerebralkungfu
Copy link
Contributor

This bug allows arbitrary code execution as reported in #30

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants