Skip to content

default to true in JSON.decode to avoid eval() #2562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ibolmo merged 2 commits into from
Mar 17, 2014
Merged

default to true in JSON.decode to avoid eval() #2562

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f7f059
Refactor after new specs have been merged to master
SergioCrisostomo Mar 6, 2014
fb96730
Be more clear about new default
SergioCrisostomo Mar 16, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion Docs/Utilities/JSON.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@ Converts a JSON string into a JavaScript object.
### Arguments:

1. string - (*string*) The string to evaluate.
2. secure - (*boolean*, optional: defaults to false) If set to true, checks for any hazardous syntax and returns null if any found.
2. secure - (*boolean*, optional: defaults to true) If set to true, checks for any hazardous syntax and returns null if any found.

There is also a global option `JSON.secure` (*boolean*: defaults to true). If the optional `secure` argument is not defined, the value of `JSON.secure` will be used.

### Returns:

Expand Down
10 changes: 8 additions & 2 deletions Source/Utilities/JSON.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,16 @@ JSON.encode = JSON.stringify ? function(obj){
return null;
};

JSON.secure = true;
//<1.4compat>
JSON.secure = false;
//</1.4compat>

JSON.decode = function(string, secure){
if (!string || typeOf(string) != 'string') return null;

if (secure || JSON.secure){

if (secure == null) secure = JSON.secure;
if (secure){
if (JSON.parse) return JSON.parse(string);
if (!JSON.validate(string)) throw new Error('JSON could not decode the input; security is enabled and the value is not secure.');
}
Expand Down
44 changes: 44 additions & 0 deletions Specs/Utilities/JSON.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,47 @@ describe('JSON', function(){
});

});
describe('JSON', function(){

var goodString = '{"name":"Jim Cowart","location":{"city":{"name":"Chattanooga","population":167674}}}';
var badString = 'alert("I\'m a bad string!")';

it('should parse a valid JSON string by default', function(){
expect(typeOf(JSON.decode(goodString))).toEqual("object");
});

it('should parse a valid JSON string when secure is set to false', function(){
expect(typeOf(JSON.decode(goodString, false))).toEqual("object");
});

it('should parse a hazarous string when secure is set to false', function(){
var _old_alert = window.alert;
window.alert = function (string) {
if (string == "I'm a bad string!") return true;
return false;
};
expect(JSON.decode(badString, false)).toEqual(true);
window.alert = _old_alert;
});
it('should parse a hazarous string when JSON.secure is set to false and secure is not defined', function(){
var _old_alert = window.alert;
window.alert = function (string) {
if (string == "I'm a bad string!") return true;
return false;
};
JSON.secure = false;
expect(JSON.decode(badString)).toEqual(true);
window.alert = _old_alert;
JSON.secure = true;
});
it('should NOT parse a hazarous string by default', function(){
var err;
try {
JSON.decode(badString);
} catch (e){
err = !!e;
};
expect(err).toEqual(true);
});

});