Prototype Pollution in JSON5 #295
Comments
|
Thanks for reporting this. Is the vulnerability in the source code or in a dependency? @aseemk I don't have control over the json.org domain, but maybe we should set up an email address for reporting security vulnerabilities. |
|
The vulnerability is in the source code of the |
|
Thanks. Please send me the details at jordanbtucker@gmail.com, and I'll take a look. |
|
Got it, email sent. |
|
@jordanbtucker not sure how to handle this, but the issue is fixed not only in |
|
@jancama2 Yes, I created a pull request to have GitHub update the security advisory, but it hasn't been merged yet, probably due to the holidays. |
* Add typescript * Add typescript config * Convert src/constants.js to typescript * Convert src/helpers to typescript * Convert src/signature to ts * Add shared.ts for shared types * convert utilities to ts * Convert web-token to s * Convert id-api to ts * Convert web-api to ts * Convert index.js to ts * Resolve id spread issue in webapi * Add typescript support for jest Change tests to typescript * Remove es exports, defer to typescript export * Chnange require to import Fix test: object check error * Add typescript lint support Use es2021 in typescript config Change tests to typescript * Move examples into single folder Fix lint issue Update eslint config Build js files in ci before test and deployment Install example dependency before lint * Fix failing test Remove example package install from ci * Fix types * Change biometric kyc example to ts * Fix lint * change document verfication example to ts * Fix lint * Change enhasned kyc to typescript * Change smart selfie example to typescript * Update package.json Co-authored-by: Michael <michael.l.dangelo@gmail.com> * Fix helpers test * remove npm build from workflow * Export interface inline * Add babel cli * Compile js in prepublish using babel Build declaration in prepublish Add tsc check in lint Remove comments from tsconfigs * Change console error to warn, since execution will still continue * Add tsconfig to generate single d.ts file for all declarations Add js and type generation in prepublish * Fix index path in package.json * Add contributors field in package.json * Use require for server.js * Upgrade json5 json5/json5#295 * Add source map to config * restrict sidServerMapping keys to number Co-authored-by: Michael <michael.l.dangelo@gmail.com>
|
@jdgregson Have you retested this vulnerability? I have some doubts about the implementation. |
See #296 (comment) |
|
what does JSON looks like? |
|
@LodewijkIVX Are you asking what the JSON implementation looks like for parsing? |
There is a Prototype Pollution vulnerability in JSON5 before and including version
2.2.1. There is no security policy that I can find for this project, so I am unsure of where to report it. Should I just post the details here?The text was updated successfully, but these errors were encountered: