Arbitrary Code Execution in JsonPointer.get

[zpbrent]

Hey maintainers @cehoffman @mortonfox @treybrisbane @chrishalbert , I have opened a PR (418sec#3) which will fix the potential arbitrary code execution vulnerability in json-ptr. Please take a review.

If you are fine with that fix, please comment @huntr-helper - LGTM at 418sec#3, or if you need any modifications, please also comment on that PR. Thanks.

Ref: 418sec#3

[cerebralkungfu]

For anyone who comes across this issue, the PR, or the associated vulnerability on Huntr or elsewhere. This is a legit and valid vulnerability that will be patched.

If you are a programmer using json-ptr, it is possible for you to hack yourself by passing arbitrary code to the JsonPointer's .get() method. See the referenced PR's PoC to learn how to hack yourself.

If your code accepts user input, does not sanitized the user's input, and forwards the user's input to the JsonPointer's .get() method, then an unscrupulous user could execute arbitrary code in your program.

Never Send Un-sanitized User Input To json-ptr

The vulnerability in this library is my oversight. The vulnerability in your program is your oversight.

[cerebralkungfu]

It appears that this is a duplicate of #28, even though it is a side-affect of that bug.

[cerebralkungfu]

Fixed with the original report #28.