New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prototype Pollution in JSON5 #295
Comments
Thanks for reporting this. Is the vulnerability in the source code or in a dependency? @aseemk I don't have control over the json.org domain, but maybe we should set up an email address for reporting security vulnerabilities. |
The vulnerability is in the source code of the |
Thanks. Please send me the details at jordanbtucker@gmail.com, and I'll take a look. |
Got it, email sent. |
@jordanbtucker not sure how to handle this, but the issue is fixed not only in |
@jancama2 Yes, I created a pull request to have GitHub update the security advisory, but it hasn't been merged yet, probably due to the holidays. |
* Add typescript * Add typescript config * Convert src/constants.js to typescript * Convert src/helpers to typescript * Convert src/signature to ts * Add shared.ts for shared types * convert utilities to ts * Convert web-token to s * Convert id-api to ts * Convert web-api to ts * Convert index.js to ts * Resolve id spread issue in webapi * Add typescript support for jest Change tests to typescript * Remove es exports, defer to typescript export * Chnange require to import Fix test: object check error * Add typescript lint support Use es2021 in typescript config Change tests to typescript * Move examples into single folder Fix lint issue Update eslint config Build js files in ci before test and deployment Install example dependency before lint * Fix failing test Remove example package install from ci * Fix types * Change biometric kyc example to ts * Fix lint * change document verfication example to ts * Fix lint * Change enhasned kyc to typescript * Change smart selfie example to typescript * Update package.json Co-authored-by: Michael <michael.l.dangelo@gmail.com> * Fix helpers test * remove npm build from workflow * Export interface inline * Add babel cli * Compile js in prepublish using babel Build declaration in prepublish Add tsc check in lint Remove comments from tsconfigs * Change console error to warn, since execution will still continue * Add tsconfig to generate single d.ts file for all declarations Add js and type generation in prepublish * Fix index path in package.json * Add contributors field in package.json * Use require for server.js * Upgrade json5 json5/json5#295 * Add source map to config * restrict sidServerMapping keys to number Co-authored-by: Michael <michael.l.dangelo@gmail.com>
@jdgregson Have you retested this vulnerability? I have some doubts about the implementation. |
See #296 (comment) |
what does JSON looks like? |
@LodewijkIVX Are you asking what the JSON implementation looks like for parsing? |
There is a Prototype Pollution vulnerability in JSON5 before and including version
2.2.1
. There is no security policy that I can find for this project, so I am unsure of where to report it. Should I just post the details here?The text was updated successfully, but these errors were encountered: