Security Fix for Arbitrary Code Injection - huntr.dev

[huntr-helper]

@ready-research (https://huntr.dev/users/ready-research) has fixed a potential Arbitrary Code Injection vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | <=10.0.0
Bug Fix | YES
Original Pull Request | 418sec#1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @ready-research, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

Replace eval with JSON.parse

📊 Metadata *

json is a 'json' command tool for massaging and processing JSON on the command line.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the -d argument.

Bounty URL: https://www.huntr.dev/bounties/1-npm-json/

⚙️ Description *

Describe your fix clearly and concisely - imagine you are describing it to a non-technical friend.

💻 Technical Description *

Replace eval with JSON.parse to avoid Code injection through the use of eval.

🐛 Proof of Concept (PoC) *

1. Install using npm i json
2. And execute

curl -sL 'https://api.github.com/repos/joyent/node/issues?state=open' | node_modules/json/lib/json.js -a created_at number title -d '""+require(`child_process`).execSync(`id`)//'

3. Output: 2015-08-29T15:29:45Z"uid=1000(kali) gid=1000(kali) groups=1000(kali)...........
   

🔥 Proof of Fix (PoF) *

👍 User Acceptance Testing (UAT)

After the fix functionality is not affected.

[trentm]

json@11.0.0 released today with this fix. Thanks.
https://www.npmjs.com/package/json

[JamieSlome]

@trentm - awesome! 🍰

If you want more fixes/disclosures like this in the future, feel free to add our badge to your README:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)