bfj 9.1.2 → 9.1.3

package/.claude/settings.local.json

@@ -0,0 +1,21 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm info:*)",
+      "Bash(npm view:*)",
+      "Bash(node -e:*)",
+      "WebSearch",
+      "Bash(npx mocha:*)",
+      "Bash(export PATH:*)",
+      "Bash(node:*)",
+      "Bash(npm install:*)",
+      "Bash(npm run unit:*)",
+      "Bash(npm run lint:*)",
+      "Bash(/usr/bin/tail:*)",
+      "Bash(/usr/bin/grep -E '\\(passing|failing\\)')",
+      "Bash(npm run integration:*)",
+      "Bash(npm test:*)",
+      "Bash(npm run memory:*)"
+    ]
+  }
+}

package/.eslintrc

@@ -43,7 +43,7 @@ rules:
   keyword-spacing: [ 2, { "before": true, "after": true } ]
   linebreak-style: [ 2, "unix" ]
   lines-around-comment: 0
-  max-depth: [ 1, 3 ]
+  max-depth: [ 1, 4 ]
   max-nested-callbacks: [ 1, 2 ]
   max-params: [ 1, 8 ]
   max-statements: 0
@@ -62,9 +62,9 @@ rules:
   no-cond-assign: [ 2, "always" ]
   no-confusing-arrow: 0
   no-console: 1
-  no-constant-condition: 2
+  no-constant-condition: 0
   no-const-assign: 2
-  no-continue: 1
+  no-continue: 0
   no-control-regex: 2
   no-debugger: 2
   no-delete-var: 2

package/HISTORY.md

@@ -1,5 +1,18 @@
 # History
 
+## 9.1.3
+
+### Bug fixes
+
+* memory: eliminate memory leaks in `walk` and `eventify` (8592416af612795d08c5f9b50e8bf611cca303a5)
+* match: remove vulnerable `jsonpath` dependency (d053e0de4cc91c1393b9377f0569eebf91eb84da)
+
+### Other changes
+
+* repo: tweak lint config (efe9f392127d7ab845bd9c3becb87949cf0a4625)
+* deps: `npm audit fix` (b4d066425e107288f8da3658d29f3e5ec57ad0c9)
+* deps: upgrade `please-release-me` to `3.4.1` (cd65c37f626541599c3eef60ab0011055d304ae0)
+
 ## 9.1.2
 
 ### Bug fixes

package/README.md

@@ -276,8 +276,13 @@ the comparison will be made
 by calling the [RegExp `test` method][regexp-test]
 with the property key.
 If it is a JSONPath expression,
-it must start with `$.` to identify the root node
-and only use `child` scope expressions for subsequent nodes.
+it must start with `$.`
+and supports only simple child access:
+dot-notation properties (`$.foo.bar`),
+bracket-notation strings (`$["foo"]`),
+numeric indices (`$[0]`),
+and wildcards (`$[*]`).
+Filter, script, and recursive descent expressions are not supported.
 Predicate functions will be called with three arguments:
 `key`, `value` and `depth`.
 If the result of the predicate is a truthy value

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bfj",
-  "version": "9.1.2",
+  "version": "9.1.3",
   "description": "Big-friendly JSON. Asynchronous streaming functions for large JSON data sets.",
   "homepage": "https://gitlab.com/philbooth/bfj",
   "bugs": "https://gitlab.com/philbooth/bfj/issues",
@@ -31,7 +31,6 @@
   "dependencies": {
     "check-types": "^11.2.3",
     "hoopy": "^0.1.4",
-    "jsonpath": "^1.1.1",
     "tryer": "^1.0.1"
   },
   "devDependencies": {
@@ -39,16 +38,17 @@
     "chai": "^4.5.0",
     "eslint": "^8.57.1",
     "mocha": "^10.7.3",
-    "please-release-me": "^2.1.6",
+    "please-release-me": "^3.4.1",
     "proxyquire": "^2.1.3",
     "spooks": "^2.0.0"
   },
   "scripts": {
     "lint": "eslint src",
-    "test": "npm run unit && npm run integration",
+    "test": "npm run unit && npm run integration && npm run memory",
     "unit": "mocha --ui tdd --reporter spec --recursive --colors --slow 120 test/unit",
     "integration": "mocha --ui tdd --reporter spec --colors test/integration",
-    "perf": "wget -O test/mtg.json https://mtgjson.com/api/v5/AllPrices.json && node test/performance mtg",
-    "perf-match": "wget -O test/mtg.json https://mtgjson.com/api/v5/AllPrices.json && node test/performance mtg currency"
+    "memory": "mocha --ui tdd --reporter spec --colors test/memory",
+    "perf": "test -f test/mtg.json || curl -o test/mtg.json https://mtgjson.com/api/v5/AllPrices.json && node test/performance mtg",
+    "perf-match": "test -f test/mtg.json || curl -o test/mtg.json https://mtgjson.com/api/v5/AllPrices.json && node test/performance mtg currency"
   }
 }

package/src/eventify.js

@@ -249,7 +249,7 @@ function eventify (data, options = {}) {
 
     await emit(events[type])
 
-    await item(obj, arr, type, action, ignoreThisItem, 0)
+    await item(obj, arr, type, action, ignoreThisItem)
   }
 
   async function emit (event, eventData) {
@@ -265,30 +265,26 @@ function eventify (data, options = {}) {
     }
   }
 
-  async function item (obj, arr, type, action, ignoreThisItem, index) {
-    if (index >= arr.length) {
-      if (ignoreThisItem) {
-        ignoreItems = false
-      }
-
+  async function item (obj, arr, type, action, ignoreThisItem) {
+    for (let index = 0; index < arr.length; index++) {
       if (ignoreItems) {
-        return
+        break
       }
 
-      await emit(events.endPrefix + events[type])
-
-      references.delete(obj)
+      await action(arr[index])
+    }
 
-      return
+    if (ignoreThisItem) {
+      ignoreItems = false
     }
 
     if (ignoreItems) {
-      return item(obj, arr, type, action, ignoreThisItem, index + 1)
+      return
     }
 
-    await action(arr[index])
+    await emit(events.endPrefix + events[type])
 
-    await item(obj, arr, type, action, ignoreThisItem, index + 1)
+    references.delete(obj)
   }
 
   function value (datum, type) {

package/src/jsonpath.js

@@ -0,0 +1,151 @@
+'use strict'
+
+module.exports = parseJsonPath
+
+/* Minimal jsonpath parser,
+ * replacing `jsonpath` which depended on `static-eval`
+ * (CVE-2026-1615, arbitrary code execution from untrusted input).
+ *
+ * Only the subset used by bfj is supported:
+ *   $.foo.bar    dot-notation properties
+ *   $["foo"]     bracket-notation strings
+ *   $[0]         numeric indices
+ *   $[*]         wildcards
+ *
+ * Filter expressions, script expressions, recursive descent, slices, and negative indices
+ * are all rejected.
+ * No eval, no regex, no dynamic code.
+ */
+
+function parseJsonPath (selector) {
+  if (typeof selector !== 'string' || selector.length === 0 || selector[0] !== '$') {
+    throw new SyntaxError('Invalid jsonpath: must start with $')
+  }
+
+  const result = [ { expression: { type: 'root', value: '$' } } ]
+  let position = 1
+
+  if (position >= selector.length) {
+    throw new SyntaxError('Invalid jsonpath: must have at least one segment after $')
+  }
+
+  while (position < selector.length) {
+    const character = selector[position]
+
+    if (character === '.') {
+      position += 1
+      if (position >= selector.length || selector[position] === '.') {
+        throw new SyntaxError('Invalid jsonpath: unexpected character after dot')
+      }
+
+      const id = parseIdentifier(selector, position)
+      result.push({ expression: { type: 'identifier', value: id.value }, operation: 'member', scope: 'child' })
+      position = id.position
+    } else if (character === '[') {
+      position += 1
+      const content = parseBracketContent(selector, position)
+      result.push({ expression: content.expression, operation: 'subscript', scope: 'child' })
+
+      position = content.position
+      if (position >= selector.length || selector[position] !== ']') {
+        throw new SyntaxError('Invalid jsonpath: unterminated bracket')
+      }
+
+      position += 1
+    } else {
+      throw new SyntaxError(`Invalid jsonpath: unexpected character "${character}"`)
+    }
+  }
+
+  return result
+}
+
+function parseBracketContent (selector, position) {
+  if (position >= selector.length) {
+    throw new SyntaxError('Invalid jsonpath: unterminated bracket')
+  }
+
+  const character = selector[position]
+
+  if (character === '*') {
+    return { expression: { type: 'wildcard', value: '*' }, position: position + 1 }
+  }
+
+  if (character === '"' || character === "'") {
+    const str = parseStringLiteral(selector, position)
+    return { expression: { type: 'string_literal', value: str.value }, position: str.position }
+  }
+
+  if (isDigit(character)) {
+    const num = parseNumericLiteral(selector, position)
+    return { expression: { type: 'numeric_literal', value: num.value }, position: num.position }
+  }
+
+  throw new SyntaxError(`Invalid jsonpath: unexpected bracket content "${character}"`)
+}
+
+function parseIdentifier (selector, position) {
+  const start = position
+
+  if (position >= selector.length || !isIdentifierStart(selector[position])) {
+    throw new SyntaxError('Invalid jsonpath: expected identifier')
+  }
+
+  position += 1
+
+  while (position < selector.length && isIdentifier(selector[position])) {
+    position += 1
+  }
+
+  return { value: selector.slice(start, position), position }
+}
+
+function parseNumericLiteral (selector, position) {
+  const start = position
+
+  while (position < selector.length && isDigit(selector[position])) {
+    position += 1
+  }
+
+  return { value: parseInt(selector.slice(start, position), 10), position }
+}
+
+function parseStringLiteral (selector, position) {
+  const quote = selector[position]
+  position += 1
+  const start = position
+
+  while (position < selector.length && selector[position] !== quote) {
+    if (selector[position] === '\\') {
+      throw new SyntaxError('Invalid jsonpath: escape sequences in strings are not supported')
+    }
+    position += 1
+  }
+
+  if (position >= selector.length) {
+    throw new SyntaxError('Invalid jsonpath: unterminated string')
+  }
+
+  const value = selector.slice(start, position)
+  position += 1
+  return { value, position }
+}
+
+function isDigit (character) {
+  return character >= '0' && character <= '9'
+}
+
+function isIdentifier (character) {
+  return (character >= 'a' && character <= 'z') ||
+    (character >= 'A' && character <= 'Z') ||
+    (character >= '0' && character <= '9') ||
+    character === '_' ||
+    character === '$'
+}
+
+function isIdentifierStart (character) {
+  return (character >= 'a' && character <= 'z') ||
+    (character >= 'A' && character <= 'Z') ||
+    character === '_' ||
+    character === '$'
+}

package/src/match.js

@@ -4,7 +4,7 @@ const check = require('check-types')
 const DataStream = require('./datastream')
 const events = require('./events')
 const Hoopy = require('hoopy')
-const jsonpath = require('jsonpath')
+const parseJsonPath = require('./jsonpath')
 const { PassThrough } = require('node:stream')
 const walk = require('./walk')
 
@@ -84,7 +84,7 @@ function match (stream, selector, options = {}) {
     check.assert.nonEmptyString(selector)
 
     if (selector.startsWith('$.')) {
-      selectorPath = jsonpath.parse(selector)
+      selectorPath = parseJsonPath(selector)
       check.assert.identical(selectorPath.shift(), {
         expression: {
           type: 'root',

package/src/walk.js

@@ -57,10 +57,6 @@ function initialise (stream, options = {}) {
     column: 1
   }
   const emitter = new EventEmitter()
-  const handlers = {
-    arr: value,
-    obj: property
-  }
   const json = []
   const lengths = []
   const previousPosition = {}
@@ -116,7 +112,7 @@ function initialise (stream, options = {}) {
       resume()
     } else {
       isWalkBegun = true
-      value()
+      topLevelLoop()
     }
   }
 
@@ -145,36 +141,97 @@ function initialise (stream, options = {}) {
     return lengths[chunkCount - 1].aggregate
   }
 
-  function value () {
-    if (++count % yieldRate !== 0) {
-      return consumeValue()
+  async function topLevelLoop () {
+    try {
+      if (shouldHandleNdjson) {
+        while (true) {
+          await awaitNonWhitespace()
+
+          if (character() === '\n') {
+            hasEndedLine = true
+            await next()
+            await emit(events.endLine)
+            continue
+          }
+
+          if (! hasEndedLine) {
+            await fail(character(), '\n', currentPosition)
+            await next()
+            continue
+          }
+
+          hasEndedLine = false
+          await value()
+        }
+      } else {
+        await value()
+
+        while (true) {
+          await awaitNonWhitespace()
+          await fail(character(), 'EOF', currentPosition)
+          await value()
+        }
+      }
+    } catch (_) {
+      setImmediate(endWalk)
+    }
+  }
+
+  async function value () {
+    if (++count % yieldRate === 0) {
+      await new Promise(resolve => {
+        setImmediate(resolve)
+      })
     }
 
-    return new Promise(resolve => {
-      setImmediate(() => consumeValue(resolve))
-    })
+    await parseOneValue()
   }
 
-  async function consumeValue (resolve, reject) {
-    try {
-      await awaitNonWhitespace()
-      await handleValue(await next())
-      if (resolve) {
-        resolve()
-      }
-    } catch (err) {
-      if (reject) {
-        reject(err)
-      }
+  async function parseOneValue () {
+    await awaitNonWhitespace()
+    const char = await next()
+
+    switch (char) {
+      case '[':
+        return array()
+      case '{':
+        return object()
+      case '"':
+        return string()
+      case '0':
+      case '1':
+      case '2':
+      case '3':
+      case '4':
+      case '5':
+      case '6':
+      case '7':
+      case '8':
+      case '9':
+      case '-':
+      case '.':
+        return number(char)
+      case 'f':
+        return literalFalse()
+      case 'n':
+        return literalNull()
+      case 't':
+        return literalTrue()
+      default:
+        await fail(char, 'value', previousPosition)
+        return value()
     }
   }
 
   async function awaitNonWhitespace () {
-    await awaitCharacter()
+    while (true) {
+      await awaitCharacter()
+
+      if (! isWhitespace(character())) {
+        return
+      }
 
-    if (isWhitespace(character())) {
       await next()
-      await awaitNonWhitespace()
     }
   }
 
@@ -272,131 +329,62 @@ function initialise (stream, options = {}) {
     return result
   }
 
-  async function handleValue (char) {
-    if (shouldHandleNdjson && scopes.length === 0) {
-      if (char === '\n') {
-        hasEndedLine = true
-        await emit(events.endLine)
-        return value()
-      }
-
-      if (! hasEndedLine) {
-        await fail(char, '\n', previousPosition)
-        return value()
-      }
-
-      hasEndedLine = false
-    }
-
-    switch (char) {
-      case '[':
-        return array()
-      case '{':
-        return object()
-      case '"':
-        return string()
-      case '0':
-      case '1':
-      case '2':
-      case '3':
-      case '4':
-      case '5':
-      case '6':
-      case '7':
-      case '8':
-      case '9':
-      case '-':
-      case '.':
-        return number(char)
-      case 'f':
-        return literalFalse()
-      case 'n':
-        return literalNull()
-      case 't':
-        return literalTrue()
-      default:
-        await fail(char, 'value', previousPosition)
-        return value()
-    }
-  }
-
   function array () {
     return scope(events.array, value)
   }
 
   async function scope (event, contentHandler) {
     await emit(event)
-
     scopes.push(event)
-    await endScope(event)
-
-    return await contentHandler()
-  }
-
-  async function emit (...args) {
-    if (pause) {
-      await pause
-    }
-
-    try {
-      emitter.emit(...args)
-    } catch (err) {
-      try {
-        emitter.emit(events.error, err)
-      } catch (_) {
-        // When calling user code, anything is possible
-      }
-    }
-  }
 
-  async function endScope (scp) {
     try {
       await awaitNonWhitespace()
 
-      if (character() === terminators[scp]) {
-        await emit(events.endPrefix + scp)
-
+      if (character() === terminators[event]) {
+        await emit(events.endPrefix + event)
         scopes.pop()
         await next()
-
-        await endValue()
+        return
       }
-    } catch (_) {
-      setImmediate(endWalk)
-    }
-  }
 
-  async function endValue () {
-    try {
-      await awaitNonWhitespace()
+      while (true) {
+        await contentHandler()
 
-      if (scopes.length === 0) {
-        if (shouldHandleNdjson) {
-          await value()
-        } else {
-          await fail(character(), 'EOF', currentPosition)
-          await value()
-        }
-      }
-
-      const scp = scopes[scopes.length - 1]
-      const handler = handlers[scp]
+        await awaitNonWhitespace()
 
-      await endScope(scp)
+        if (character() === terminators[event]) {
+          await emit(events.endPrefix + event)
+          scopes.pop()
+          await next()
+          return
+        }
 
-      if (scopes.length > 0) {
         const isComma = await checkCharacter(character(), ',', currentPosition)
         if (isComma) {
           await next()
         }
       }
-
-      await handler()
     } catch (_) {
       setImmediate(endWalk)
     }
   }
 
+  async function emit (...args) {
+    if (pause) {
+      await pause
+    }
+
+    try {
+      emitter.emit(...args)
+    } catch (err) {
+      try {
+        emitter.emit(events.error, err)
+      } catch (_) {
+        // When calling user code, anything is possible
+      }
+    }
+  }
+
   function fail (actual, expected, position) {
     return emit(
       events.dataError,
@@ -434,30 +422,35 @@ function initialise (stream, options = {}) {
 
   async function walkString (event) {
     isWalkingString = true
-    await walkStringContinue(event, [], false)
-  }
 
-  async function walkStringContinue (event, str, isEscaping) {
-    const char = await next()
+    const str = []
+    let escaping = false
 
-    if (isEscaping) {
-      str.push(await escape(char))
-      if (++stringChunkCount >= stringChunkSize) {
-        await walkStringChunk(event, str)
+    while (true) {
+      const char = await next()
+
+      if (escaping) {
+        str.push(await escape(char))
+        if (++stringChunkCount >= stringChunkSize) {
+          await walkStringChunk(event, str)
+        }
+        escaping = false
+        continue
       }
-      return walkStringContinue(event, str, false)
-    }
 
-    if (char === '\\') {
-      return walkStringContinue(event, str, true)
-    }
+      if (char === '\\') {
+        escaping = true
+        continue
+      }
+
+      if (char === '"') {
+        break
+      }
 
-    if (char !== '"') {
       str.push(char)
       if (++stringChunkCount >= stringChunkSize) {
         await walkStringChunk(event, str)
       }
-      return walkStringContinue(event, str, isEscaping)
     }
 
     isWalkingString = false
@@ -465,7 +458,7 @@ function initialise (stream, options = {}) {
     await walkStringChunk(event, str)
     stringChunkStart = 0
 
-    return emit(event, str.join(''))
+    await emit(event, str.join(''))
   }
 
   function walkStringChunk (event, str) {
@@ -483,7 +476,7 @@ function initialise (stream, options = {}) {
     }
 
     if (char === 'u') {
-      return escapeHex([], 0)
+      return escapeHex()
     }
 
     await fail(char, 'escape character', previousPosition)
@@ -491,30 +484,25 @@ function initialise (stream, options = {}) {
     return `\\${char}`
   }
 
-  async function escapeHex (hexits, idx) {
-    const char = await next()
-
-    if (isHexit(char)) {
-      hexits.push(char)
-    }
+  async function escapeHex () {
+    const hexits = []
 
-    if (idx < 3) {
-      return escapeHex(hexits, idx + 1)
-    }
+    for (let i = 0; i < 4; i++) {
+      const char = await next()
 
-    hexits = hexits.join('')
+      if (! isHexit(char)) {
+        await fail(char, 'hex digit', previousPosition)
+        return `\\u${hexits.join('')}${char}`
+      }
 
-    if (hexits.length === 4) {
-      return String.fromCharCode(parseInt(hexits, 16))
+      hexits.push(char)
     }
 
-    await fail(char, 'hex digit', previousPosition)
-    return `\\u${hexits}${char}`
+    return String.fromCharCode(parseInt(hexits.join(''), 16))
   }
 
   async function string () {
     await walkString(events.string)
-    await endValue()
   }
 
   async function number (firstCharacter) {
@@ -553,14 +541,15 @@ function initialise (stream, options = {}) {
 
   async function walkDigits (digits) {
     try {
-      await awaitCharacter()
+      while (true) {
+        await awaitCharacter()
+
+        if (! isDigit(character())) {
+          return false
+        }
 
-      if (isDigit(character())) {
         digits.push(await next())
-        return walkDigits(digits)
       }
-
-      return false
     } catch (_) {
       return true
     }
@@ -568,7 +557,6 @@ function initialise (stream, options = {}) {
 
   async function endNumber (digits) {
     await emit(events.number, parseFloat(digits.join('')))
-    await endValue()
   }
 
   function literalFalse () {
@@ -576,32 +564,30 @@ function initialise (stream, options = {}) {
   }
 
   async function literal (expectedCharacters, val) {
-    try {
-      await awaitCharacter()
+    let consumed = 0
 
-      const actual = await next()
-      const expected = expectedCharacters.shift()
+    try {
+      for (; consumed < expectedCharacters.length; consumed++) {
+        await awaitCharacter()
 
-      if (actual !== expected) {
-        // eslint-disable-next-line no-throw-literal
-        throw [ actual, expected ]
-      }
+        const actual = await next()
+        const expected = expectedCharacters[consumed]
 
-      if (expectedCharacters.length === 0) {
-        await emit(events.literal, val)
-        return endValue()
+        if (actual !== expected) {
+          if (consumed < expectedCharacters.length - 1) {
+            await fail('EOF', expectedCharacters[consumed + 1], currentPosition)
+          } else {
+            await fail(actual, expected, previousPosition)
+          }
+          return
+        }
       }
 
-      await literal(expectedCharacters, val)
-    } catch (err) {
-      if (expectedCharacters.length > 0) {
-        await fail('EOF', expectedCharacters[0], currentPosition)
-      } else if (Array.isArray(err)) {
-        const [ actual, expected ] = err
-        await fail(actual, expected, previousPosition)
+      await emit(events.literal, val)
+    } catch (_) {
+      if (consumed < expectedCharacters.length) {
+        await fail('EOF', expectedCharacters[consumed], currentPosition)
       }
-
-      return endValue()
     }
   }
 
@@ -646,12 +632,9 @@ function initialise (stream, options = {}) {
   }
 
   async function popScopes () {
-    if (scopes.length === 0) {
-      return
+    while (scopes.length > 0) {
+      await fail('EOF', terminators[scopes.pop()], currentPosition)
     }
-
-    await fail('EOF', terminators[scopes.pop()], currentPosition)
-    await popScopes()
   }
 }
 

package/test/memory.js

@@ -0,0 +1,56 @@
+'use strict'
+
+const assert = require('chai').assert
+const { Readable } = require('stream')
+
+const bfj = require('../src')
+
+const ELEMENT_COUNT = 1_000_000
+
+suite('memory:', () => {
+  test('walk does not OOM on large array', function (done) {
+    this.timeout(120_000)
+
+    const json = `[${new Array(ELEMENT_COUNT).fill('1').join(',')}]`
+    const stream = new Readable()
+    stream._read = () => {}
+    stream.push(json)
+    stream.push(null)
+
+    let count = 0
+    const baselineRss = process.memoryUsage().rss
+    const emitter = bfj.walk(stream)
+
+    emitter.on('num', () => { count++ })
+    emitter.on('err', done)
+    emitter.on('err-data', (err) => done(err))
+    emitter.on('end', () => {
+      const peakRss = process.memoryUsage().rss
+      const growth = peakRss - baselineRss
+      assert.strictEqual(count, ELEMENT_COUNT)
+      assert.isBelow(growth, 512 * 1024 * 1024, `RSS grew by ${(growth / 1024 / 1024).toFixed(0)} MB`)
+      done()
+    })
+  })
+
+  test('eventify does not OOM on large array', function (done) {
+    this.timeout(120_000)
+
+    const data = new Array(ELEMENT_COUNT).fill(1)
+
+    let count = 0
+    const baselineRss = process.memoryUsage().rss
+    const emitter = bfj.eventify(data)
+
+    emitter.on('num', () => { count++ })
+    emitter.on('err', done)
+    emitter.on('err-data', (err) => done(err))
+    emitter.on('end', () => {
+      const peakRss = process.memoryUsage().rss
+      const growth = peakRss - baselineRss
+      assert.strictEqual(count, ELEMENT_COUNT)
+      assert.isBelow(growth, 512 * 1024 * 1024, `RSS grew by ${(growth / 1024 / 1024).toFixed(0)} MB`)
+      done()
+    })
+  })
+})

package/test/unit/jsonpath.js

@@ -0,0 +1,249 @@
+'use strict'
+
+const assert = require('chai').assert
+
+const modulePath = '../../src/jsonpath'
+
+suite('jsonpath:', () => {
+  let parseJsonPath
+
+  setup(() => {
+    parseJsonPath = require(modulePath)
+  })
+
+  test('require does not throw', () => {
+    assert.doesNotThrow(() => require(modulePath))
+  })
+
+  test('require returns function', () => {
+    assert.isFunction(require(modulePath))
+  })
+
+  suite('valid paths:', () => {
+    test('$.foo returns member identifier', () => {
+      assert.deepEqual(parseJsonPath('$.foo'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'identifier', value: 'foo' }, operation: 'member', scope: 'child' },
+      ])
+    })
+
+    test('$.foo.bar returns chained members', () => {
+      assert.deepEqual(parseJsonPath('$.foo.bar'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'identifier', value: 'foo' }, operation: 'member', scope: 'child' },
+        { expression: { type: 'identifier', value: 'bar' }, operation: 'member', scope: 'child' },
+      ])
+    })
+
+    test('$[0] returns numeric subscript', () => {
+      assert.deepEqual(parseJsonPath('$[0]'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'numeric_literal', value: 0 }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test('$[42] returns numeric subscript', () => {
+      assert.deepEqual(parseJsonPath('$[42]'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'numeric_literal', value: 42 }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test('$["foo"] returns string subscript with double quotes', () => {
+      assert.deepEqual(parseJsonPath('$["foo"]'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'string_literal', value: 'foo' }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test("$['foo'] returns string subscript with single quotes", () => {
+      assert.deepEqual(parseJsonPath("$['foo']"), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'string_literal', value: 'foo' }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test('$[*] returns wildcard subscript', () => {
+      assert.deepEqual(parseJsonPath('$[*]'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'wildcard', value: '*' }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test('$.foo.bar[*] returns mixed path', () => {
+      assert.deepEqual(parseJsonPath('$.foo.bar[*]'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'identifier', value: 'foo' }, operation: 'member', scope: 'child' },
+        { expression: { type: 'identifier', value: 'bar' }, operation: 'member', scope: 'child' },
+        { expression: { type: 'wildcard', value: '*' }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test('$._private returns identifier with underscore prefix', () => {
+      assert.deepEqual(parseJsonPath('$._private'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'identifier', value: '_private' }, operation: 'member', scope: 'child' },
+      ])
+    })
+
+    test('$.$ref returns identifier with dollar prefix', () => {
+      assert.deepEqual(parseJsonPath('$.$ref'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'identifier', value: '$ref' }, operation: 'member', scope: 'child' },
+      ])
+    })
+
+    test('$["foo"].bar returns bracket then dot chaining', () => {
+      assert.deepEqual(parseJsonPath('$["foo"].bar'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'string_literal', value: 'foo' }, operation: 'subscript', scope: 'child' },
+        { expression: { type: 'identifier', value: 'bar' }, operation: 'member', scope: 'child' },
+      ])
+    })
+
+    test('$[0][1] returns consecutive brackets', () => {
+      assert.deepEqual(parseJsonPath('$[0][1]'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'numeric_literal', value: 0 }, operation: 'subscript', scope: 'child' },
+        { expression: { type: 'numeric_literal', value: 1 }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test('$[0].foo[*] returns bracket-dot-bracket chaining', () => {
+      assert.deepEqual(parseJsonPath('$[0].foo[*]'), [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'numeric_literal', value: 0 }, operation: 'subscript', scope: 'child' },
+        { expression: { type: 'identifier', value: 'foo' }, operation: 'member', scope: 'child' },
+        { expression: { type: 'wildcard', value: '*' }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+  })
+
+  suite('rejection:', () => {
+    test('empty string throws', () => {
+      assert.throws(() => parseJsonPath(''), /Invalid jsonpath/)
+    })
+
+    test('$ alone throws', () => {
+      assert.throws(() => parseJsonPath('$'), /Invalid jsonpath/)
+    })
+
+    test('does not start with $ throws', () => {
+      assert.throws(() => parseJsonPath('foo.bar'), /Invalid jsonpath/)
+    })
+
+    test('$..foo recursive descent throws', () => {
+      assert.throws(() => parseJsonPath('$..foo'), /Invalid jsonpath/)
+    })
+
+    test('$.foo[?(@.bar)] filter expression throws', () => {
+      assert.throws(() => parseJsonPath('$.foo[?(@.bar)]'), /Invalid jsonpath/)
+    })
+
+    test('$[(@.length-1)] script expression throws', () => {
+      assert.throws(() => parseJsonPath('$[(@.length-1)]'), /Invalid jsonpath/)
+    })
+
+    test('$.foo[-1] negative index throws', () => {
+      assert.throws(() => parseJsonPath('$.foo[-1]'), /Invalid jsonpath/)
+    })
+
+    test('$.foo[0:5] slice throws', () => {
+      assert.throws(() => parseJsonPath('$.foo[0:5]'), /Invalid jsonpath/)
+    })
+
+    test('unterminated bracket throws', () => {
+      assert.throws(() => parseJsonPath('$.foo[0'), /Invalid jsonpath/)
+    })
+
+    test('unterminated string throws', () => {
+      assert.throws(() => parseJsonPath('$.foo["bar'), /Invalid jsonpath/)
+    })
+
+    test('$.123 identifier starting with digit throws', () => {
+      assert.throws(() => parseJsonPath('$.123'), /Invalid jsonpath/)
+    })
+
+    test('backslash escape in double-quoted string throws', () => {
+      assert.throws(() => parseJsonPath('$["foo\\"bar"]'), /Invalid jsonpath/)
+    })
+
+    test('backslash escape in single-quoted string throws', () => {
+      assert.throws(() => parseJsonPath("$['it\\'s']"), /Invalid jsonpath/)
+    })
+  })
+
+  suite('security:', () => {
+    test('prototype traversal RCE parses without code execution', () => {
+      assert.throws(() => parseJsonPath('$[?(@.constructor.constructor("return process")().exit())]'))
+    })
+
+    test('$.__proto__ parses to inert AST without code execution', () => {
+      const result = parseJsonPath('$.__proto__')
+      assert.deepEqual(result, [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'identifier', value: '__proto__' }, operation: 'member', scope: 'child' },
+      ])
+    })
+
+    test('$["__proto__"] parses to inert AST without code execution', () => {
+      const result = parseJsonPath('$["__proto__"]')
+      assert.deepEqual(result, [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'string_literal', value: '__proto__' }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test('$.constructor parses to inert AST without code execution', () => {
+      const result = parseJsonPath('$.constructor')
+      assert.deepEqual(result, [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'identifier', value: 'constructor' }, operation: 'member', scope: 'child' },
+      ])
+    })
+
+    test('$["constructor"] parses to inert AST without code execution', () => {
+      const result = parseJsonPath('$["constructor"]')
+      assert.deepEqual(result, [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'string_literal', value: 'constructor' }, operation: 'subscript', scope: 'child' },
+      ])
+    })
+
+    test('$.prototype parses to inert AST without code execution', () => {
+      const result = parseJsonPath('$.prototype')
+      assert.deepEqual(result, [
+        { expression: { type: 'root', value: '$' } },
+        { expression: { type: 'identifier', value: 'prototype' }, operation: 'member', scope: 'child' },
+      ])
+    })
+
+    test('eval injection in filter throws', () => {
+      assert.throws(() => parseJsonPath('$[?(@.eval("process.exit()"))]'))
+    })
+
+    test('semicolon expression escape throws', () => {
+      assert.throws(() => parseJsonPath('$.foo; process.exit()'))
+    })
+
+    test('newline expression escape throws', () => {
+      assert.throws(() => parseJsonPath('$.foo\nprocess.exit()'))
+    })
+
+    test('CRLF injection throws', () => {
+      assert.throws(() => parseJsonPath("$.foo\r\nrequire('child_process').exec('rm -rf /')"))
+    })
+
+    test('Function constructor in bracket throws', () => {
+      assert.throws(() => parseJsonPath('$[new Function("return process")()]'))
+    })
+
+    test('eval in bracket throws', () => {
+      assert.throws(() => parseJsonPath('$[eval("1")]'))
+    })
+
+    test('bracket injection attempt throws', () => {
+      assert.throws(() => parseJsonPath('$.foo](malicious)[bar'))
+    })
+  })
+})

package/test/unit/walk.js

@@ -1054,6 +1054,50 @@ suite('walk:', () => {
       })
     })
 
+    suite('string containing early bad unicode escape sequence:', () => {
+      let stream, emitter
+
+      setup(done => {
+        stream = new Readable()
+        stream._read = () => {}
+
+        emitter = walk(stream)
+
+        stream.push('"\\u0Gxx"')
+        stream.push(null)
+
+        Object.entries(events).forEach(([ key, value ]) => {
+          emitter.on(value, spooks.fn({
+            name: key,
+            log: log
+          }))
+        })
+
+        emitter.on(events.end, done)
+      })
+
+      test('dataError event occurred once', () => {
+        assert.strictEqual(log.counts.dataError, 1)
+      })
+
+      test('dataError event was dispatched correctly', () => {
+        assert.strictEqual(log.args.dataError[0][0].actual, 'G')
+        assert.strictEqual(log.args.dataError[0][0].expected, 'hex digit')
+      })
+
+      test('string event occurred once', () => {
+        assert.strictEqual(log.counts.string, 1)
+      })
+
+      test('string event was dispatched correctly', () => {
+        assert.strictEqual(log.args.string[0][0], '\\u0Gxx')
+      })
+
+      test('end event occurred once', () => {
+        assert.strictEqual(log.counts.end, 1)
+      })
+    })
+
     suite('unterminated string:', () => {
       let stream, emitter