fix(security): prevent constructor access in safe vm

Also: - docs: add security policy file
JSONPath-Plus · Oct 18, 2024 · b70aa71 · b70aa71
1 parent 763ada0
commit b70aa71
Show file tree

Hide file tree

Showing 14 changed files with 54 additions and 6 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -6,6 +6,8 @@ labels: Bug - unconfirmed
 ---
 <!--
 **PLEASE NOTE: This project is not currently being very actively developed.**
+
+**ALSO: If wishing to report a security bug, please read SECURITY.md**
 -->
 
 ## Describe the bug

diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,10 @@
 # CHANGES for jsonpath-plus
 
+## 10.0.7
+
+- fix(security): prevent `constructor` access
+- docs: add security policy file
+
 ## 10.0.6
 
 - fix(security): prevent `call`/`apply` invocation of `Function`

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+If you believe you’ve found a security vulnerability, please send it to us by emailing [brettz9@yahoo.com](mailto:brettz9@yahoo.com). Please include the following details with your report:
+
+1. Description of the location and potential impact of the vulnerability
+
+2. A detailed description of the steps required to reproduce the vulnerability (POC scripts, etc.).
+
+3. How you would like to be credited.
+
+We will evaluate the vulnerability and, if necessary, release a fix or unertake mitigating steps to address it. We will contact you to let you know the outcome, and will credit you in the report.
+
+Please **do not disclose the vulnerability publicly** until we have sufficient time to release a fix.
+
+Once we have either a) published a fix, b) declined to address the vulnerability for whatever reason, or c) taken more than 30 days to reply, we welcome you to publicly report the vulnerability on our tracker and disclose it publicly. If you intend to
+disclose sooner regardless of our requested policy, please at least indicate to us when you plan to disclose.
diff --git a/badges/coverage-badge.svg b/badges/coverage-badge.svg
diff --git a/dist/index-browser-esm.js b/dist/index-browser-esm.js
@@ -1291,6 +1291,9 @@ const SafeEval = {
     return ast.value;
   },
   evalMemberExpression(ast, subs) {
+    if (ast.property.type === 'Identifier' && ast.property.name === 'constructor' || ast.object.type === 'Identifier' && ast.object.name === 'constructor') {
+      throw new Error("'constructor' property is disabled");
+    }
     const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
     : ast.property.name; // `object.property` property is Identifier
     const obj = SafeEval.evalAst(ast.object, subs);

diff --git a/dist/index-browser-esm.min.js b/dist/index-browser-esm.min.js
diff --git a/dist/index-browser-esm.min.js.map b/dist/index-browser-esm.min.js.map
diff --git a/dist/index-browser-umd.cjs b/dist/index-browser-umd.cjs
@@ -1297,6 +1297,9 @@
 	    return ast.value;
 	  },
 	  evalMemberExpression(ast, subs) {
+	    if (ast.property.type === 'Identifier' && ast.property.name === 'constructor' || ast.object.type === 'Identifier' && ast.object.name === 'constructor') {
+	      throw new Error("'constructor' property is disabled");
+	    }
 	    const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
 	    : ast.property.name; // `object.property` property is Identifier
 	    const obj = SafeEval.evalAst(ast.object, subs);

diff --git a/dist/index-browser-umd.min.cjs b/dist/index-browser-umd.min.cjs
diff --git a/dist/index-browser-umd.min.cjs.map b/dist/index-browser-umd.min.cjs.map
diff --git a/dist/index-node-cjs.cjs b/dist/index-node-cjs.cjs
@@ -1292,6 +1292,9 @@ const SafeEval = {
     return ast.value;
   },
   evalMemberExpression(ast, subs) {
+    if (ast.property.type === 'Identifier' && ast.property.name === 'constructor' || ast.object.type === 'Identifier' && ast.object.name === 'constructor') {
+      throw new Error("'constructor' property is disabled");
+    }
     const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
     : ast.property.name; // `object.property` property is Identifier
     const obj = SafeEval.evalAst(ast.object, subs);

diff --git a/dist/index-node-esm.js b/dist/index-node-esm.js
@@ -1290,6 +1290,9 @@ const SafeEval = {
     return ast.value;
   },
   evalMemberExpression(ast, subs) {
+    if (ast.property.type === 'Identifier' && ast.property.name === 'constructor' || ast.object.type === 'Identifier' && ast.object.name === 'constructor') {
+      throw new Error("'constructor' property is disabled");
+    }
     const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
     : ast.property.name; // `object.property` property is Identifier
     const obj = SafeEval.evalAst(ast.object, subs);

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "author": "Stefan Goessner",
   "name": "jsonpath-plus",
-  "version": "10.0.6",
+  "version": "10.0.7",
   "type": "module",
   "bin": {
     "jsonpath": "./bin/jsonpath-cli.js",

diff --git a/src/Safe-Script.js b/src/Safe-Script.js
@@ -105,6 +105,15 @@ const SafeEval = {
         return ast.value;
     },
     evalMemberExpression (ast, subs) {
+        if (
+            (ast.property.type === 'Identifier' &&
+                ast.property.name === 'constructor') ||
+            (ast.object.type === 'Identifier' &&
+                ast.object.name === 'constructor')
+        ) {
+            throw new Error("'constructor' property is disabled");
+        }
+
         const prop = ast.computed
             ? SafeEval.evalAst(ast.property) // `object[property]`
             : ast.property.name; // `object.property` property is Identifier
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,8 @@ labels: Bug - unconfirmed @@
     ---
     <!--
     **PLEASE NOTE: This project is not currently being very actively developed.**
+    **ALSO: If wishing to report a security bug, please read SECURITY.md**
     -->
     ## Describe the bug
@@ Expand Down @@