Changes between Initial Version and Version 1 of Ticket #10333


Ignore:
Timestamp:
Nov 14, 2009, 2:19:32 PM (13 years ago)
Author:
dante
Comment:

providing a secure JSON path is on the radar, but we can't do it in fromJson because of backward compatibility. There is already a secure parser in dojox.secure.

Perhaps:

dojo.fromJsonSecure = function(json){
    if(!/thatregexp/.test(json){
       return dojo.fromJson.apply(dojo, arguments);
    }
}

would be a small base addition worth providing?

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #10333

    • Property Cc kriszyp elatzukin added
    • Property Milestone changed from tbd to future
  • Ticket #10333 – Description

    initial v1  
    1 Currently, the `fromJson` method blindly `eval()`s any string passed to it, a potentially dangerous operation (depending on the string's source, it could easily contain injected code).  A simple !RegExp check can be used to prevent this: any string which does '''not''' match `/^(?:[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|"(?:\\.|[^"\\])*")*$/` is '''not''' valid JSON and should not be` eval()`ed.  (Note that the reverse is not true; that expression can match invalid JSON, but it at least won't be malicious — no function calls, control structures, etc.)
     1Currently, the `fromJson` method blindly `eval()`s any string passed to it, a potentially dangerous operation (depending on the string's source, it could easily contain injected code).  A simple !RegExp check can be used to prevent this: any string which does '''not''' match
    22
    3 Adding the line `if (!/^(?:[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|"(?:\\.|[^"\\])*")*$/.test(json)) throw "invalid JSON";` (or some such) to `fromJson` would prevent this kind of script injection.  It is also a cheap operation: it only traverses the string once and fails early if an invalid character is found.
     3{{{
     4`/^(?:[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|"(?:\\.|[^"\\])*")*$/`
     5}}}
     6
     7is '''not''' valid JSON and should not be` eval()`ed.  (Note that the reverse is not true; that expression can match invalid JSON, but it at least won't be malicious — no function calls, control structures, etc.)
     8
     9Adding the line
     10
     11{{{
     12`if (!/^(?:[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|"(?:\\.|[^"\\])*")*$/.test(json)) throw "invalid JSON";` // (or some such)
     13}}}
     14
     15to `fromJson` would prevent this kind of script injection.  It is also a cheap operation: it only traverses the string once and fails early if an invalid character is found.