Skip to content

Commit

Permalink
Fix Code injection in -d DELIM through use of eval (#150)
Browse files Browse the repository at this point in the history 
Replace eval with JSON.parse

This handles the code injection vuln in `-d DELIM`, but introduces a backward
incompatibility because JSON escapes are a subset of JavaScript escapes.

Co-authored-by: ready-research <72916209+ready-research@users.noreply.github.com>
Refs: #148
  • Loading branch information
@ready-research
huntr.dev | the place to protect open source and ready-research authored Apr 26, 2021
1 parent 27e1ad7 commit 4114e32
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/json.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ if (util.format) {
function _parseString(s) {
/* JSSTYLED */
var quoted = '"' + s.replace(/\\"/, '"').replace('"', '\\"') + '"';
return eval(quoted);
return JSON.parse(quoted);
}

// json_parse.js (<https://github.com/douglascrockford/JSON-js>)
Expand Down

0 comments on commit 4114e32

Please sign in to comment.