fix possible RCE in jsonpath-plus

rluvaton · rluvaton · commit 1fcd9f8b647b · 2022-11-16T09:42:32.000+02:00
diff --git a/src/azure_auth.ts b/src/azure_auth.ts
@@ -1,10 +1,10 @@
 import * as proc from 'child_process';
 import https = require('https');
-import * as jsonpath from 'jsonpath-plus';
 import request = require('request');
 
 import { Authenticator } from './auth';
 import { User } from './config_types';
+import { jsonpath } from './json_path';
 
 /* FIXME: maybe we can extend the User and User.authProvider type to have a proper type.
 Currently user.authProvider has `any` type and so we don't have a type for user.authProvider.config.
@@ -94,7 +94,7 @@ export class AzureAuth implements Authenticator {
         const tokenPathKey = '$' + tokenPathKeyInConfig.slice(1, -1);
         const expiryPathKey = '$' + expiryPathKeyInConfig.slice(1, -1);
 
-        config['access-token'] = jsonpath.JSONPath(tokenPathKey, resultObj);
-        config.expiry = jsonpath.JSONPath(expiryPathKey, resultObj);
+        config['access-token'] = jsonpath(tokenPathKey, resultObj);
+        config.expiry = jsonpath(expiryPathKey, resultObj);
     }
 }
diff --git a/src/gcp_auth.ts b/src/gcp_auth.ts
@@ -1,10 +1,10 @@
 import * as proc from 'child_process';
 import https = require('https');
-import * as jsonpath from 'jsonpath-plus';
 import request = require('request');
 
 import { Authenticator } from './auth';
 import { User } from './config_types';
+import { jsonpath } from './json_path';
 
 /* FIXME: maybe we can extend the User and User.authProvider type to have a proper type.
 Currently user.authProvider has `any` type and so we don't have a type for user.authProvider.config.
@@ -90,7 +90,7 @@ export class GoogleCloudPlatformAuth implements Authenticator {
         const tokenPathKey = '$' + tokenPathKeyInConfig.slice(1, -1);
         const expiryPathKey = '$' + expiryPathKeyInConfig.slice(1, -1);
 
-        config['access-token'] = jsonpath.JSONPath(tokenPathKey, resultObj);
-        config.expiry = jsonpath.JSONPath(expiryPathKey, resultObj);
+        config['access-token'] = jsonpath(tokenPathKey, resultObj);
+        config.expiry = jsonpath(expiryPathKey, resultObj);
     }
 }
diff --git a/src/json_path.ts b/src/json_path.ts
@@ -0,0 +1,10 @@
+import {JSONPath} from 'jsonpath-plus';
+
+export function jsonpath(path: string, json: object): any {
+    return JSONPath({
+        path,
+        json,
+
+        preventEval: true,
+    });
+}
diff --git a/src/json_path_test.ts b/src/json_path_test.ts
@@ -0,0 +1,10 @@
+import { expect } from 'chai';
+import { jsonpath } from './json_path';
+
+describe('jsonpath', () => {
+    it('should throw if vulnerable for RCE (remote code execution)', () => {
+        expect(() => {
+            jsonpath('$..[?(' + '(function a(arr){' + 'a([...arr, ...arr])' + '})([1]);)]', { nonEmpty: 'object' });
+        }).to.throw();
+    });
+});
