Hello Javascripters!

While not an issue per-se, this topic may be of interest to those looking to use jsonpath from a nodejs environment to process arbitrary / user-specified expressions. After analysing the source code it became apparent that this library is not the best to do so as the builtin expression evaluation mechanism uses static-eval which according to that project's readme:

It is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.

This is elaborated in a recent issue comment by one of the project authors @goto-bus-stop:

If you allow those function calls, someone can craft JS code that will access the prototype of those functions, which is the Function constructor, which is eval (real eval). There are many ways to do that, so while we've got checks in place to prevent some of those cases, it's likely that there are other undiscovered cases. static-eval was built for use in build pipelines on trusted code, so here it makes more sense to just explicitly be unsafe rather than try to plug all the holes forever

So while this jsonpath library uses static-eval, one cannot sleep soundly at night knowing that they are fully safe from malicious user input. Enter jsonpath-sandbox..

After evaluating options, we decided that the most suitable solution would be to modify the jsonpath backend so as to dispatch to an alternative / safe expression interpreter that would allow us to process arbitrary user input. For this we used the v8-sandbox library which wraps the V8 Javascript engine from Google, simply exposing the built-in/isolated Javascript envrionment and nothing more. Thus nothing from NodeJS is exposed and we can now process JSONPath expressions without having to worry about malicious code injection.

There are a few caveats though,

• Most notably, since v8-sandbox exposes the V8 interpreter via an asynchronous interface, the jsonpath implementation and API had to be updated to reflect that. Thus all functionality is now invoked through use of Promises which need to be asynchronously handled.
• Furthermore since V8 is a C++ module, this library cannot currently be 'browserified' and loaded in the browser.
• To cleanly shutdown the V8 interpreter a shutdown method is provided on the top level JSONPath prototype. This must be invoked so the nodejs process can complete execution
• There are also a few smaller caveats which are outlined in the jsonpath-sandox README

The tests have be fully updated and work 100%, verifying all original JSONPath functionality so this should be good to go, though some community testing and feedback would be more than appreciated (we'd more than welcome issues and PRs on our fork). We hope this helps others in the situation we are, be sure to follow Dev Null Productions (our startup) for tools and services which use this library in production in the near future!

jsonpath-sandbox 1.0.3 was just pushed to github and npm including performance optimizations and a a new 'complexity' function returning quantitative representation of expression complexity