Merge pull request #900 from rluvaton/master

fix possible RCE in jsonpath-plus

Author: k8s-ci-robot

src/azure_auth.ts

@@ -1,10 +1,10 @@
 import * as proc from 'child_process';
 import https = require('https');
-import * as jsonpath from 'jsonpath-plus';
 import request = require('request');
 
 import { Authenticator } from './auth';
 import { User } from './config_types';
+import { jsonpath } from './json_path';
 
 /* FIXME: maybe we can extend the User and User.authProvider type to have a proper type.
 Currently user.authProvider has `any` type and so we don't have a type for user.authProvider.config.
@@ -94,7 +94,7 @@ export class AzureAuth implements Authenticator {
         const tokenPathKey = '$' + tokenPathKeyInConfig.slice(1, -1);
         const expiryPathKey = '$' + expiryPathKeyInConfig.slice(1, -1);
 
-        config['access-token'] = jsonpath.JSONPath(tokenPathKey, resultObj);
-        config.expiry = jsonpath.JSONPath(expiryPathKey, resultObj);
+        config['access-token'] = jsonpath(tokenPathKey, resultObj);
+        config.expiry = jsonpath(expiryPathKey, resultObj);
     }
 }

src/gcp_auth.ts

@@ -1,10 +1,10 @@
 import * as proc from 'child_process';
 import https = require('https');
-import * as jsonpath from 'jsonpath-plus';
 import request = require('request');
 
 import { Authenticator } from './auth';
 import { User } from './config_types';
+import { jsonpath } from './json_path';
 
 /* FIXME: maybe we can extend the User and User.authProvider type to have a proper type.
 Currently user.authProvider has `any` type and so we don't have a type for user.authProvider.config.
@@ -90,7 +90,7 @@ export class GoogleCloudPlatformAuth implements Authenticator {
         const tokenPathKey = '$' + tokenPathKeyInConfig.slice(1, -1);
         const expiryPathKey = '$' + expiryPathKeyInConfig.slice(1, -1);
 
-        config['access-token'] = jsonpath.JSONPath(tokenPathKey, resultObj);
-        config.expiry = jsonpath.JSONPath(expiryPathKey, resultObj);
+        config['access-token'] = jsonpath(tokenPathKey, resultObj);
+        config.expiry = jsonpath(expiryPathKey, resultObj);
     }
 }

src/gcp_auth_test.ts

@@ -285,4 +285,27 @@ describe('GoogleCloudPlatformAuth', () => {
             expect(opts.headers.Authorization).to.equal(`Bearer ${token}`);
         }
     });
+
+    it('should throw if tried to run JavaScript inside the token key', async () => {
+        const token = 'token';
+        const responseStr = `{"token":{"accessToken":"${token}"}}`;
+
+        const user = {
+            authProvider: {
+                name: 'gcp',
+                config: {
+                    'cmd-path': join(__dirname, '..', 'test', 'echo space.js'),
+                    'cmd-args': `'${responseStr}'`,
+                    'expiry-key': '{.token.token_expiry}',
+
+                    // The problematic token
+                    'token-key': '{..[?(' + '(function a(arr){' + 'a([...arr, ...arr])' + '})([1]);)]}',
+                },
+            },
+        } as User;
+
+        await expect(auth.applyAuthentication(user, {})).to.eventually.be.rejectedWith(
+            'Eval [?(expr)] prevented in JSONPath expression.',
+        );
+    });
 });

src/json_path.ts

@@ -0,0 +1,10 @@
+import { JSONPath } from 'jsonpath-plus';
+
+export function jsonpath(path: string, json: object): any {
+    return JSONPath({
+        path,
+        json,
+
+        preventEval: true,
+    });
+}

src/json_path_test.ts

@@ -0,0 +1,12 @@
+import { expect } from 'chai';
+import { jsonpath } from './json_path';
+
+describe('jsonpath', () => {
+    it('should throw if tried to run JavaScript inside the path', () => {
+        expect(() => {
+            jsonpath('$..[?(' + '(function a(arr){' + 'a([...arr, ...arr])' + '})([1]);)]', {
+                nonEmpty: 'object',
+            });
+        }).to.throw();
+    });
+});