You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you are fine with that fix, please comment @huntr-helper - LGTM at 418sec#3, or if you need any modifications, please also comment on that PR. Thanks.
For anyone who comes across this issue, the PR, or the associated vulnerability on Huntr or elsewhere. This is a legit and valid vulnerability that will be patched.
If you are a programmer using json-ptr, it is possible for you to hack yourself by passing arbitrary code to the JsonPointer's .get() method. See the referenced PR's PoC to learn how to hack yourself.
If your code accepts user input, does not sanitized the user's input, and forwards the user's input to the JsonPointer's .get() method, then an unscrupulous user could execute arbitrary code in your program.
Never Send Un-sanitized User Input To json-ptr
The vulnerability in this library is my oversight. The vulnerability in your program is your oversight.
Hey maintainers @cehoffman @mortonfox @treybrisbane @chrishalbert , I have opened a PR (418sec#3) which will fix the potential arbitrary code execution vulnerability in json-ptr. Please take a review.
If you are fine with that fix, please comment @huntr-helper - LGTM at 418sec#3, or if you need any modifications, please also comment on that PR. Thanks.
Ref: 418sec#3
The text was updated successfully, but these errors were encountered: