Fix Code injection in -d DELIM through use of eval (#150)

huntr.dev | the place to protect open source · ready-research · web-flow · commit 4114e321b023 · 2021-04-25T19:51:39.000-07:00
Replace eval with JSON.parse This handles the code injection vuln in `-d DELIM`, but introduces a backward incompatibility because JSON escapes are a subset of JavaScript escapes. Co-authored-by: ready-research <72916209+ready-research@users.noreply.github.com> Refs: #148
diff --git a/lib/json.js b/lib/json.js
@@ -126,7 +126,7 @@ if (util.format) {
 function _parseString(s) {
     /* JSSTYLED */
     var quoted = '"' + s.replace(/\\"/, '"').replace('"', '\\"') + '"';
-    return eval(quoted);
+    return JSON.parse(quoted);
 }
 
 // json_parse.js (<https://github.com/douglascrockford/JSON-js>)

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ if (util.format) {`
`126`	`126`	`function _parseString(s) {`
`127`	`127`	`/* JSSTYLED */`
`128`	`128`	`var quoted = '"' + s.replace(/\\"/, '"').replace('"', '\\"') + '"';`
`129`		`- return eval(quoted);`
	`129`	`+ return JSON.parse(quoted);`
`130`	`130`	`}`
`131`	`131`
`132`	`132`	`// json_parse.js (<https://github.com/douglascrockford/JSON-js>)`