🚨 Active Supply Chain Attack:node-ipc Package Compromised.Learn More
Socket
Book a DemoSign in
Socket
Book a DemoSign in

jsonpath

Package Overview
Dependencies
Maintainers
1
Versions
28
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

jsonpath - npm Package Compare versions

Comparing version
1.1.1
 to
1.2.0
+51
test/security.js
var assert = require('assert');
var jp = require('../');
suite('security', function() {
var cleanup = function() {
if (Object.prototype.polluted) {
delete Object.prototype.polluted;
}
};
teardown(function() {
cleanup();
});
test('blocks prototype pollution via value()', function() {
cleanup();
var data = {};
assert.throws(function() {
jp.value(data, '$.__proto__.polluted', 'yes');
}, /Unsafe key/);
assert.equal(({}).polluted, undefined);
});
test('blocks prototype pollution via apply()', function() {
cleanup();
var data = { safe: { ok: true } };
assert.throws(function() {
jp.apply(data, '$.__proto__.polluted', function() { return 'yes'; });
}, /Unsafe key/);
assert.equal(({}).polluted, undefined);
});
test('blocks unsafe subscript access', function() {
cleanup();
var data = {};
assert.throws(function() {
jp.query(data, '$["__proto__"]["polluted"]');
}, /Unsafe key/);
assert.equal(({}).polluted, undefined);
});
test('blocks unsafe union access', function() {
cleanup();
var data = { safe: 1 };
assert.throws(function() {
jp.nodes(data, "$['safe','__proto__']");
}, /Unsafe key/);
assert.equal(({}).polluted, undefined);
});
});
+56
-1
lib/index.js

@@ -26,2 +26,3 @@ var assert = require('assert');

var node = this.nodes(obj, string)[0];
if (node) this._assert_safe_path_keys(node.path);
var key = node.path.pop(); /* jshint unused:false */

@@ -43,2 +44,3 @@ return this.value(obj, node.path);

nodes.forEach(function(node) {
this._assert_safe_path_keys(node.path);
var key = node.path.pop();

@@ -61,2 +63,3 @@ var parent = this.value(obj, this.stringify(node.path));

if (!node) return this._vivify(obj, path, value);
this._assert_safe_path_keys(node.path);
var key = node.path.slice(-1).shift();

@@ -79,2 +82,4 @@ var parent = this.parent(obj, this.stringify(node.path));

this._assert_safe_path_keys(path);
var setValue = function(path, value) {

@@ -87,2 +92,3 @@ var key = path.pop();

}
self._assert_safe_key(key);
node[key] = value;

@@ -124,2 +130,3 @@ }

var path = this.parser.parse(string);
this._assert_safe_components(path);
var handlers = this.handlers;

@@ -215,2 +222,3 @@

if (typeof component == "string" && component.match("^" + dict.identifier + "$")) {
this._assert_safe_key(component);

@@ -228,2 +236,4 @@ _path.push({

if (type === 'string_literal') this._assert_safe_key(component);
_path.push({

@@ -235,3 +245,3 @@ operation: 'subscript',

}
});
}, this);

@@ -248,2 +258,43 @@ return _path;

JSONPath.prototype._assert_safe_key = function(key) {
if (_is_unsafe_key(key)) {
throw new Error("Unsafe key in JSONPath: " + key);
}
}
JSONPath.prototype._assert_safe_path_keys = function(path) {
if (!Array.isArray(path)) return;
path.forEach(function(key) {
if (key === '$') return;
if (typeof key === 'string') this._assert_safe_key(key);
}, this);
}
JSONPath.prototype._assert_safe_components = function(components) {
var self = this;
if (!Array.isArray(components)) return;
var checkExpression = function(expression) {
if (!expression) return;
if (expression.type === 'identifier' || expression.type === 'string_literal') {
self._assert_safe_key(expression.value);
return;
}
if (expression.type === 'union' && Array.isArray(expression.value)) {
expression.value.forEach(function(component) {
if (component && component.expression) {
checkExpression(component.expression);
}
});
}
};
components.forEach(function(component) {
if (component && component.expression) {
checkExpression(component.expression);
}
});
}
function _is_string(obj) {

@@ -253,2 +304,6 @@ return Object.prototype.toString.call(obj) == '[object String]';

function _is_unsafe_key(key) {
return key === '__proto__' || key === 'prototype' || key === 'constructor';
}
JSONPath.Handlers = Handlers;

@@ -255,0 +310,0 @@ JSONPath.Parser = Parser;

+5
-5
package.json
{
"name": "jsonpath",
"description": "Query JavaScript objects with JSONPath expressions. Robust / safe JSONPath engine for Node.js.",
"version": "1.1.1",
"version": "1.2.0",
"author": "david@fmail.co.uk",
"scripts": {
"prepublishOnly": "node lib/aesprim.js > generated/aesprim-browser.js",
"test": "mocha -u tdd test && jscs lib && jshint lib",
"test": "mocha -u tdd test && jshint lib",
"generate": "node bin/generate_parser.js > generated/parser.js"
},
"dependencies": {
"esprima": "1.2.2",
"static-eval": "2.0.2",
"underscore": "1.12.1"
"esprima": "1.2.5",
"static-eval": "2.1.1",
"underscore": "1.13.6"
},

@@ -16,0 +16,0 @@ "browser": "./jsonpath.js",

jsonpath.js

Sorry, the diff of this file is too big to display

jsonpath.min.js

Sorry, the diff of this file is too big to display