feat: hardened JSON imports (#1132)

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

HISTORY.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
+* Changed
+  * Hardened JSON imports (via [#1132]) 
+
+[#1132]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1132
+
 ## 1.14.3 - 2023-12-01
 
 * Fixed

src/_helpers.ts

@@ -0,0 +1,27 @@
+/*!
+This file is part of CycloneDX generator for NPM projects.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import { readFileSync } from 'fs'
+
+export function loadJsonFile (path: string): any {
+  return JSON.parse(readFileSync(path, 'utf8'))
+  // may be replaced by `require(f, { with: { type: "json" } })`
+  // as soon as this spec is properly implemented.
+  // see https://github.com/tc39/proposal-import-attributes
+}

src/builders.ts

@@ -23,6 +23,7 @@ import * as normalizePackageData from 'normalize-package-data'
 import { type PackageURL } from 'packageurl-js'
 import * as path from 'path'
 
+import { loadJsonFile } from './_helpers'
 import { makeNpmRunner, type runFunc } from './npmRunner'
 import { PropertyNames, PropertyValueBool } from './properties'
 import { versionCompare } from './versionCompare'
@@ -350,8 +351,7 @@ export class BomBuilder {
     const packageJsonPath = path.join(data.path, 'package.json')
     try {
       return Object.assign(
-        /* eslint-disable-next-line @typescript-eslint/no-var-requires */
-        require(packageJsonPath),
+        loadJsonFile(packageJsonPath),
         data
       )
     } catch {
@@ -568,8 +568,7 @@ export class BomBuilder {
   }
 
   private * makeTools (): Generator<Models.Tool> {
-    /* eslint-disable-next-line @typescript-eslint/no-var-requires */
-    const packageJsonPaths = ['../package.json']
+    const packageJsonPaths = [path.resolve(module.path, '..', 'package.json')]
 
     const libs = [
       '@cyclonedx/cyclonedx-library'
@@ -589,8 +588,7 @@ export class BomBuilder {
     /* eslint-enable no-labels */
 
     for (const packageJsonPath of packageJsonPaths) {
-      /* eslint-disable-next-line @typescript-eslint/no-var-requires */
-      const packageData = require(packageJsonPath)
+      const packageData = loadJsonFile(packageJsonPath)
       normalizePackageData(packageData /* add debug for warnings? */)
       const tool = this.toolBuilder.makeTool(packageData)
       if (tool !== undefined) {

src/cli.ts

@@ -22,6 +22,7 @@ import { Argument, Command, Option } from 'commander'
 import { existsSync, openSync, writeSync } from 'fs'
 import { dirname, resolve } from 'path'
 
+import { loadJsonFile } from './_helpers'
 import { BomBuilder, TreeBuilder } from './builders'
 
 enum OutputFormat {
@@ -173,8 +174,7 @@ function makeCommand (process: NodeJS.Process): Command {
     )
   ).version(
     // that is supposed to be the last option in the list on the help page.
-    /* eslint-disable-next-line @typescript-eslint/no-var-requires */
-    require('../package.json').version as string
+    loadJsonFile(resolve(module.path, '..', 'package.json')).version as string
   ).allowExcessArguments(
     false
   )