Is using jsonfilter with untrusted data safe?

Installing and Using OpenWrt
1

Hi,

I would like to query external site and extract response JSON fields into variables using jsonfilter -e option:

JSON="$(curl -s https://ipinfo.io)"

# curl failed
[ $? -ne 0 ] && return 0
# empty response
[ -z "$JSON" ] && return 0

eval "$(echo $JSON | jsonfilter -e 'IP_ADDR=@["ip"]' -e 'CITY=@["city"]' -e 'REGION=@["region"]' -e 'COUNTRY=@["country"]')"

Is it safe to use? If someone performed a MITM attack or would control external IP's hostname (lets assume he would be able to inject arbitrary characters into json output to simplify thins) - is it possible to force the eval into command injection?

1 Like
2

As json is a data format, by design it should be safe. So what you are actually asking is if there are known bugs in jsonfilter which can be exploited with a malicious json file.
I suppose the answer is no. If there were known vulnerabilities it would have been fixed.

1 Like
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.