Skip to content

Commit 233d754

Browse files
80avin80avin
authored
chore: update security policy (#250)
1 parent d8dad28 commit 233d754

File tree

2 files changed

+24
-1
lines changed

2 files changed

+24
-1
lines changed

README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -402,6 +402,11 @@ npm run browser-test
402402

403403
- Visit [http://localhost:8082/test/](http://localhost:8082/test/).
404404

405+
406+
## Security
407+
408+
Please see [SECURITY.md](./SECURITY.md) for important security considerations and instructions on how to report vulnerabilities.
409+
405410
## License
406411

407412
[MIT License](https://opensource.org/license/mit/).

SECURITY.md

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,28 @@
11
# Security Policy
22

3+
## Security Considerations
4+
5+
### Query Injection
6+
7+
JSONPath-Plus evaluates JSONPath expressions provided by the caller. While the default `"eval": "safe"` option prevents arbitrary code execution, it **cannot prevent data exposure if the JSONPath query itself is compromised**.
8+
9+
If untrusted input is incorporated into a JSONPath expression, an attacker may be able to alter the query structure by adding additional patterns. This can change how the remaining query is interpreted and may result in **unexpected or broader data being returned** than intended.
10+
11+
**Important notes:**
12+
- This does **not** enable random code execution when using `"eval": "safe"` (the default).
13+
- The primary risk is **data leakage**, not execution of attacker-controlled code.
14+
15+
**Mitigations:**
16+
1. **Do not interpolate unsanitized user input into JSONPath queries.**
17+
2. If user-controlled input must be included in a query, ensure the target JSON object contains **only non-confidential data**.
18+
19+
As a general rule, treat JSONPath expressions as code and avoid constructing them dynamically from untrusted sources.
20+
321
## Reporting a Vulnerability
422

523
**Please do not report security vulnerabilities through public GitHub issues.**
624

7-
If you believe you’ve found a security vulnerability, please send it to us by emailing [brettz9@yahoo.com](mailto:brettz9@yahoo.com). Please include the following details with your report:
25+
If you believe you’ve found a security vulnerability, please send it to us by emailing [iamavinashthakur.at@gmail.com](mailto:iamavinashthakur.at@gmail.com) or [brettz9@yahoo.com](mailto:brettz9@yahoo.com). Please include the following details with your report:
826

927
1. Description of the location and potential impact of the vulnerability
1028

0 commit comments

Comments
 (0)