fix(security): prevent constructor access in safe vm

brettz9 · brettz9 · commit b70aa713553c · 2024-10-19T01:26:33.000+08:00
Also:
- docs: add security policy file
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -6,6 +6,8 @@ labels: Bug - unconfirmed
 ---
 <!--
 **PLEASE NOTE: This project is not currently being very actively developed.**
+
+**ALSO: If wishing to report a security bug, please read SECURITY.md**
 -->
 
 ## Describe the bug
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,10 @@
 # CHANGES for jsonpath-plus
 
+## 10.0.7
+
+- fix(security): prevent `constructor` access
+- docs: add security policy file
+
 ## 10.0.6
 
 - fix(security): prevent `call`/`apply` invocation of `Function`
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+If you believe you’ve found a security vulnerability, please send it to us by emailing [brettz9@yahoo.com](mailto:brettz9@yahoo.com). Please include the following details with your report:
+
+1. Description of the location and potential impact of the vulnerability
+
+2. A detailed description of the steps required to reproduce the vulnerability (POC scripts, etc.).
+
+3. How you would like to be credited.
+
+We will evaluate the vulnerability and, if necessary, release a fix or unertake mitigating steps to address it. We will contact you to let you know the outcome, and will credit you in the report.
+
+Please **do not disclose the vulnerability publicly** until we have sufficient time to release a fix.
+
+Once we have either a) published a fix, b) declined to address the vulnerability for whatever reason, or c) taken more than 30 days to reply, we welcome you to publicly report the vulnerability on our tracker and disclose it publicly. If you intend to
+disclose sooner regardless of our requested policy, please at least indicate to us when you plan to disclose.
diff --git a/badges/coverage-badge.svg b/badges/coverage-badge.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="417" height="20"><defs><style>text{font-size:11px;font-family:Verdana,DejaVu Sans,Geneva,sans-serif}text.shadow{fill:#010101;fill-opacity:.3}text.high{fill:#fff}</style><linearGradient id="smooth" x2="0" y2="100%"><stop offset="0" stop-color="#aaa" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><mask id="round"><rect width="100%" height="100%" rx="3" fill="#fff"/></mask></defs><g id="bg" mask="url(#round)"><path fill="orange" stroke="#000" d="M0 0h120v20H0zM120 0h109v20H120zM229 0h87v20h-87z"/><path fill="green" stroke="#000" d="M316 0h101v20H316z"/><path fill="url(#smooth)" d="M0 0h417v20H0z"/></g><g id="fg"><text class="shadow" x="5.5" y="15">Statements 98.83%</text><text class="high" x="5" y="14">Statements 98.83%</text><text class="shadow" x="125.5" y="15">Branches 98.04%</text><text class="high" x="125" y="14">Branches 98.04%</text><text class="shadow" x="234.5" y="15">Lines 98.83%</text><text class="high" x="234" y="14">Lines 98.83%</text><text class="shadow" x="321.5" y="15">Functions 100%</text><text class="high" x="321" y="14">Functions 100%</text></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="417" height="20"><defs><style>text{font-size:11px;font-family:Verdana,DejaVu Sans,Geneva,sans-serif}text.shadow{fill:#010101;fill-opacity:.3}text.high{fill:#fff}</style><linearGradient id="smooth" x2="0" y2="100%"><stop offset="0" stop-color="#aaa" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><mask id="round"><rect width="100%" height="100%" rx="3" fill="#fff"/></mask></defs><g id="bg" mask="url(#round)"><path fill="orange" stroke="#000" d="M0 0h120v20H0zM120 0h109v20H120zM229 0h87v20h-87z"/><path fill="green" stroke="#000" d="M316 0h101v20H316z"/><path fill="url(#smooth)" d="M0 0h417v20H0z"/></g><g id="fg"><text class="shadow" x="5.5" y="15">Statements 98.66%</text><text class="high" x="5" y="14">Statements 98.66%</text><text class="shadow" x="125.5" y="15">Branches 97.78%</text><text class="high" x="125" y="14">Branches 97.78%</text><text class="shadow" x="234.5" y="15">Lines 98.66%</text><text class="high" x="234" y="14">Lines 98.66%</text><text class="shadow" x="321.5" y="15">Functions 100%</text><text class="high" x="321" y="14">Functions 100%</text></g></svg>
diff --git a/dist/index-browser-esm.js b/dist/index-browser-esm.js
@@ -1291,6 +1291,9 @@ const SafeEval = {
     return ast.value;
   },
   evalMemberExpression(ast, subs) {
+    if (ast.property.type === 'Identifier' && ast.property.name === 'constructor' || ast.object.type === 'Identifier' && ast.object.name === 'constructor') {
+      throw new Error("'constructor' property is disabled");
+    }
     const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
     : ast.property.name; // `object.property` property is Identifier
     const obj = SafeEval.evalAst(ast.object, subs);
diff --git a/dist/index-browser-esm.min.js b/dist/index-browser-esm.min.js
diff --git a/dist/index-browser-esm.min.js.map b/dist/index-browser-esm.min.js.map
diff --git a/dist/index-browser-umd.cjs b/dist/index-browser-umd.cjs
@@ -1297,6 +1297,9 @@
 	    return ast.value;
 	  },
 	  evalMemberExpression(ast, subs) {
+	    if (ast.property.type === 'Identifier' && ast.property.name === 'constructor' || ast.object.type === 'Identifier' && ast.object.name === 'constructor') {
+	      throw new Error("'constructor' property is disabled");
+	    }
 	    const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
 	    : ast.property.name; // `object.property` property is Identifier
 	    const obj = SafeEval.evalAst(ast.object, subs);
diff --git a/dist/index-browser-umd.min.cjs b/dist/index-browser-umd.min.cjs
diff --git a/dist/index-browser-umd.min.cjs.map b/dist/index-browser-umd.min.cjs.map
diff --git a/dist/index-node-cjs.cjs b/dist/index-node-cjs.cjs
@@ -1292,6 +1292,9 @@ const SafeEval = {
     return ast.value;
   },
   evalMemberExpression(ast, subs) {
+    if (ast.property.type === 'Identifier' && ast.property.name === 'constructor' || ast.object.type === 'Identifier' && ast.object.name === 'constructor') {
+      throw new Error("'constructor' property is disabled");
+    }
     const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
     : ast.property.name; // `object.property` property is Identifier
     const obj = SafeEval.evalAst(ast.object, subs);
diff --git a/dist/index-node-esm.js b/dist/index-node-esm.js
@@ -1290,6 +1290,9 @@ const SafeEval = {
     return ast.value;
   },
   evalMemberExpression(ast, subs) {
+    if (ast.property.type === 'Identifier' && ast.property.name === 'constructor' || ast.object.type === 'Identifier' && ast.object.name === 'constructor') {
+      throw new Error("'constructor' property is disabled");
+    }
     const prop = ast.computed ? SafeEval.evalAst(ast.property) // `object[property]`
     : ast.property.name; // `object.property` property is Identifier
     const obj = SafeEval.evalAst(ast.object, subs);
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "author": "Stefan Goessner",
   "name": "jsonpath-plus",
-  "version": "10.0.6",
+  "version": "10.0.7",
   "type": "module",
   "bin": {
     "jsonpath": "./bin/jsonpath-cli.js",
diff --git a/src/Safe-Script.js b/src/Safe-Script.js
@@ -105,6 +105,15 @@ const SafeEval = {
         return ast.value;
     },
     evalMemberExpression (ast, subs) {
+        if (
+            (ast.property.type === 'Identifier' &&
+                ast.property.name === 'constructor') ||
+            (ast.object.type === 'Identifier' &&
+                ast.object.name === 'constructor')
+        ) {
+            throw new Error("'constructor' property is disabled");
+        }
+
         const prop = ast.computed
             ? SafeEval.evalAst(ast.property) // `object[property]`
             : ast.property.name; // `object.property` property is Identifier

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"author": "Stefan Goessner",`
`3`	`3`	`"name": "jsonpath-plus",`
`4`		`- "version": "10.0.6",`
	`4`	`+ "version": "10.0.7",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"bin": {`
`7`	`7`	`"jsonpath": "./bin/jsonpath-cli.js",`