Hopiu/angular.js
1
0
Fork 0
mirror of https://github.com/Hopiu/angular.js.git synced 2026-03-17 07:40:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Stricter JSON parsing, for security

Browse source
This commit is contained in:
Misko Hevery 2010-12-11 10:07:10 -08:00
parent ec4d446f89
commit a5df1fc41f
2 changed files with 18 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/parser.js
View file

@ -42,12 +42,17 @@ function lex(text, parseStringsForObjects){
readNumber();
} else if (isIdent(ch)) {
readIdent();
// identifiers can only be if the preceding char was a { or ,
if (was('{,') && json[0]=='{' &&
(token=tokens[tokens.length-1])) {
token.json = token.text.indexOf('.') == -1;
}
} else if (is('(){}[].,;:')) {
tokens.push({index:index, text:ch, json:is('{}[]:,')});
tokens.push({
index:index,
text:ch,
json:(was(':[,') && is('{[')) || is('}]:,')
});
if (is('{[')) json.unshift(ch);
if (is('}]')) json.shift();
index++;

12
test/JsonSpec.js
View file

@ -151,6 +151,18 @@ describe('json', function(){
expect(function(){fromJson('[].constructor');}).
toThrow(new Error("Parse Error: Token '.' is not valid json at column 3 of expression [[].constructor] starting at [.constructor]."));
});
it('should not allow object dereference', function(){
expect(function(){fromJson('{a:1, b: $location, c:1}');}).toThrow();
expect(function(){fromJson("{a:1, b:[1]['__parent__']['location'], c:1}");}).toThrow();
});
it('should not allow assignments', function(){
expect(function(){fromJson("{a:1, b:[1]=1, c:1}");}).toThrow();
expect(function(){fromJson("{a:1, b:=1, c:1}");}).toThrow();
expect(function(){fromJson("{a:1, b:x=1, c:1}");}).toThrow();
});
});
});