fix(evaluate): add max safe integer check for array evaluation

char0n · char0n · commit b1ca85fb5510 · 2025-04-15T22:49:53.000+02:00
diff --git a/src/evaluate/index.js b/src/evaluate/index.js
@@ -8,6 +8,8 @@ import JSONPointerTypeError from '../errors/JSONPointerTypeError.js';
 import JSONPointerIndexError from '../errors/JSONPointerIndexError.js';
 import JSONPointerKeyError from '../errors/JSONPointerKeyError.js';
 
+const MAX_SAFE_INTEGER = Number.MAX_SAFE_INTEGER.toString();
+
 const evaluate = (
   value,
   jsonPointer,
@@ -103,6 +105,29 @@ const evaluate = (
           });
         }
 
+        if (
+          referenceToken.length > MAX_SAFE_INTEGER.length ||
+          (referenceToken.length === MAX_SAFE_INTEGER.length && referenceToken > MAX_SAFE_INTEGER)
+        ) {
+          const message = `Invalid array index "${referenceToken}" at position ${referenceTokenPosition} in "${jsonPointer}": must be a non-negative integer within the I-JSON safe integer range (0 to 2^53 - 1)`;
+
+          tracer?.step({
+            referenceToken,
+            input: current,
+            success: false,
+            reason: message,
+          });
+
+          throw new JSONPointerIndexError(message, {
+            jsonPointer,
+            referenceTokens,
+            referenceToken,
+            referenceTokenPosition,
+            currentValue: current,
+            realm: realm.name,
+          });
+        }
+
         const index = Number(referenceToken);
         if (index >= realm.sizeOf(current) && strictArrays) {
           const message = `Invalid array index "${index}" at position ${referenceTokenPosition} in "${jsonPointer}": out of bounds`;
@@ -117,7 +142,7 @@ const evaluate = (
           throw new JSONPointerIndexError(message, {
             jsonPointer,
             referenceTokens,
-            referenceToken: index,
+            referenceToken,
             referenceTokenPosition,
             currentValue: current,
             realm: realm.name,
diff --git a/test/evaluate/index.js b/test/evaluate/index.js
@@ -104,6 +104,14 @@ describe('evaluate', function () {
       assert.throws(() => evaluate(data, '/foo/x'), JSONPointerIndexError);
     });
 
+    specify('should throw JSONPointerIndexError for unsafe integer array index', function () {
+      assert.throws(
+        () => evaluate(data, '/foo/9007199254740992'),
+        JSONPointerIndexError,
+        /I-JSON safe integer range \(0 to 2\^53 - 1\)/,
+      );
+    });
+
     specify('should throw JSONPointerIndexError for out-of-bounds array index', function () {
       assert.throws(() => evaluate(data, '/foo/5'), JSONPointerIndexError);
     });
