Skip to content

Commit

Permalink
distinct cjs and esm output using rollup; docs update pre-v3.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
Phillip Clark committed Oct 26, 2021
1 parent 5dc458f commit 91dede7
Show file tree
Hide file tree
Showing 30 changed files with 4,199 additions and 26,756 deletions.
2 changes: 1 addition & 1 deletion .eslintrc.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"env": {
"browser": false,
"es2021": true,
"es2020": true,
"node": true,
"mocha": true
},
Expand Down
167 changes: 95 additions & 72 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,27 +8,25 @@ Supports [Relative JSON Pointers](https://tools.ietf.org/id/draft-handrews-relat

## Background

I wrote this a few years back when I was unable to find a _complete implementation_ of [RFC 6901](https://tools.ietf.org/html/rfc6901). It turns out that I now use the hell out of it.

## Security Vulnerability prior to v2.1.0

There is a security vulnerability in versions prior to v2.1.0 in which an unscrupulous actor may execute arbitrary code. If your code sends un-sanitized user input to `json-ptr`'s `.get()` method, your project is vulnerable to this injection-style vulnerability.

If your code is vulnerable, you should upgrade immediately, and also, stop sending un-sanitized user input to `json-ptr`.

## Breaking Changes at v1.3.0

As was rightly pointed out in [this issue](https://github.com/flitbit/json-ptr/issues/24), I should have rolled the major version at `v1.3.0` instead of the minor version due to [breaking changes to the API](#user-content-where-did-the-global-functions-go). Not the worst blunder I've made, but my apologies all the same. Since the ship has sailed, I'm boosting the visibility of these breaking changes.
I wrote this a few years back when I was unable to find a _complete implementation_ of [RFC 6901](https://tools.ietf.org/html/rfc6901). It turns out that I now use the hell out of it. I hope you also find it useful.

## Install

```bash
npm install json-ptr
```

## Release Bundles

As of v3.0.0, we provide CJS, ESM, and UMD builds under the `dist/` folder, and appropriate references in our `package.json` file, so your code should just work. If you reference `json-ptr` on a CDN, try [UNPKG](https://unpkg.com/), which picks up our releases automatically.

## Use

### [nodejs](https://nodejs.org/en/)
Both CJS and ESM are supported.

```javascript
const { JsonPointer } = require('json-ptr');
```

```javascript
import { JsonPointer } from 'json-ptr';
Expand Down Expand Up @@ -65,7 +63,7 @@ const versions: Record<SupportedVersion, PrimaryGuestNamePointers> = {
name: JsonPointer.create('/primary/primaryGuest/name'),
surname: JsonPointer.create('/primary/primaryGuest/surname'),
honorific: JsonPointer.create('/primary/primaryGuest/honorific'),
}
},
};

interface Reservation extends Record<string, unknown> {
Expand Down Expand Up @@ -94,21 +92,25 @@ function primaryGuestName(reservation: Reservation): string {

// The original layout of a reservation (only the parts relevant to our example)
const reservationV1: Reservation = {
guests: [{
name: 'Wilbur',
surname: 'Finkle',
honorific: 'Mr.'
}, {
name: 'Wanda',
surname: 'Finkle',
honorific: 'Mrs.'
}, {
name: 'Wilma',
surname: 'Finkle',
honorific: 'Miss',
child: true,
age: 12
}]
guests: [
{
name: 'Wilbur',
surname: 'Finkle',
honorific: 'Mr.',
},
{
name: 'Wanda',
surname: 'Finkle',
honorific: 'Mrs.',
},
{
name: 'Wilma',
surname: 'Finkle',
honorific: 'Miss',
child: true,
age: 12,
},
],
// ...
};

Expand All @@ -119,36 +121,48 @@ const reservationV1_1: Reservation = {
primaryGuest: {
name: 'Wilbur',
surname: 'Finkle',
honorific: 'Mr.'
honorific: 'Mr.',
},
additionalGuests: [{
name: 'Wanda',
surname: 'Finkle',
honorific: 'Mrs.'
}, {
name: 'Wilma',
surname: 'Finkle',
honorific: 'Miss',
child: true,
age: 12
}]
additionalGuests: [
{
name: 'Wanda',
surname: 'Finkle',
honorific: 'Mrs.',
},
{
name: 'Wilma',
surname: 'Finkle',
honorific: 'Miss',
child: true,
age: 12,
},
],
// ...
}
},
// ...
};

console.log(primaryGuestName(reservationV1));
console.log(primaryGuestName(reservationV1_1));

```

## Security Vulnerabilities (Resolved)

- **prior to v3.0.0** there was a security vulnerability which allowed a developer to perform prototype pollution by sending malformed path segments to `json-ptr`. If you were one of these developers, you should upgrade to v3.0.0 immediately, and stop using `json-ptr` to pollute an object's prototype. If you feel you have a legitimate reason to do so, please use another method and leave `json-ptr` out of it. Such behavior has been disallowed since it can easily be done using plain ol javascript by those determined to violate common best practice.

- **prior to v2.1.0** there was a security vulnerability which allowed an unscrupulous actor to execute arbitrary code if developers failed to sanitize user input before sending it to `json-ptr`. If your code does not sanitize user input before sending it to `json-ptr`, your project is vulnerable and you should upgrade to v3.0.0 immediately. And while your at it, start sanitized user input before sending it to any library!

## Breaking Changes at v1.3.0

As was rightly pointed out in [this issue](https://github.com/flitbit/json-ptr/issues/24), I should have rolled the major version at `v1.3.0` instead of the minor version due to [breaking changes to the API](#user-content-where-did-the-global-functions-go). Not the worst blunder I've made, but my apologies all the same. Since the ship has sailed, I'm boosting the visibility of these breaking changes.

### Where did the Global Functions Go?

In version `v1.3.0` of the library, global functions were moved to static functions of the `JsonPointer` class. There should be no difference in arguments or behavior. If you were previously importing the global functions it is a small change to destructure them and have compatible code.

| Global Fn | Static Fn | Documentation |
|---|---|---|
| `create()`| `JsonPointer.create()` | [Factory function that creates a `JsonPointer`](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#create) |
| Global Fn | Static Fn | Documentation |
| ------------------- | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `create()` | `JsonPointer.create()` | [Factory function that creates a `JsonPointer`](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#create) |
| `decode()` | `JsonPointer.decode()` | [Decodes the specified pointer into path segments.](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#decode) |
| `flatten()` | `JsonPointer.flatten()` | [DEvaluates the target's object graph, returning a Record&lt;Pointer, unknown> populated with pointers and the corresponding values from the graph..](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#flatten) |
| `get()` | `JsonPointer.get()` | [Gets the target object's value at the pointer's location.](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#get) |
Expand Down Expand Up @@ -241,54 +255,63 @@ It is important to recognize in the performance results that _compiled_ options

## Releases

- 2021-10-26 — **3.0.0** **Potential Security Vulnerability Patched**
- When setting a value on an object graph, a developer could purposely use `json-ptr` to pollute an object's prototype by passing invalid path segments to the set/unset operations. This behavior has been disallowed.
- 2021-05-14 — **2.2.0** _Added Handling for Relative JSON Pointers_
- [Example usage](https://github.com/flitbit/json-ptr/blob/487182100a08f4ddc7713e42ec063bbd5ce2c34c/examples/relative.js)
- 2021-05-12 — **2.1.1** _Bug fix for [#36](https://github.com/flitbit/json-ptr/issues/36)_
- @CarolynWebster reported an unintentional behavior change starting at v1.3.0. An operation involving a pointer/path that crossed a null value in the object graph resulted in an exception. In versions prior to v1.3.0 it returned `undefined` as intended. The original behavior has been restored.
- 2021-05-12 — **2.1.0** _Bug fixes for [#28](https://github.com/flitbit/json-ptr/issues/28) and [#30](https://github.com/flitbit/json-ptr/issues/30); **Security Vulnerability Patched**_
- When compiling the accessors for quickly points in an object graph, the `.get()` method was not properly delimiting single quotes. This error caused the get operation to throw an exception in during normal usage. Worse, in cases where malicious user input was sent directly to `json-ptr`, the failure to delimit single quotes allowed the execution of arbitrary code (an injection attack). The first of these issues was reported in #28 by @mprast, the second (vulnerability) by @zpbrent. Thanks also to @elimumford for the actual code used for the fix.

- When compiling the accessors for quickly accessing points in an object graph, the `.get()` method was not properly delimiting single quotes. This error caused the get operation to throw an exception in during normal usage. Worse, in cases where malicious user input was sent directly to `json-ptr`, the failure to delimit single quotes allowed the execution of arbitrary code (an injection attack). The first of these issues was reported in #28 by @mprast, the second (vulnerability) by @zpbrent. Thanks also to @elimumford for the actual code used for the fix.

- If your code sent un-sanitized user input to the `.get()` method of `json-ptr`, your project was susceptible to this security vulnerability!

- 2020-10-21 — **2.0.0** _*Breaking Change*_
- Prototype pollution using this library is now disallowed and will throw an error. I've been looking into the origin of this issue and it seems to have been disclosed by mohan on [huntr.dev](https://www.huntr.dev/bounties/1-npm-json-ptr/). I received [a PR from](https://github.com/flitbit/json-ptr/pull/26) [@luci-m-666](https://github.com/luci-m-666), but found [another PR](https://github.com/418sec/json-ptr/pull/1) by [@alromh87](https://github.com/alromh87) that looks like the origin of the solution. Don't know who to thank, but thanks all -- somebody is due a bounty.
- Just in case somebody was relying on `json-ptr` to support pointers across the prototype, I'm rolling the major version number because you're now broken.

> BEWARE of [Breaking Changes at v1.3.0!](#user-content-where-did-the-global-functions-go)
- 2020-07-20 — **1.3.2**
- Added missing `tslib` dependency.
- Documented [where the global functions are now located; moving them broke compatibility at v1.3.0](#user-content-where-did-the-global-functions-go).
- 2020-07-20 — **1.3.2**

- Added missing `tslib` dependency.
- Documented [where the global functions are now located; moving them broke compatibility at v1.3.0](#user-content-where-did-the-global-functions-go).

- 2020-07-10 — **1.3.0** **BREAKING CHANGES**

- **BREAKING CHANGE:** Global functions are now static functions on the `JsonPointer` type. See [_Where did the Global Functions Go?_](#user-content-where-did-the-global-functions-go)
- Merged new `.unset()` function contributed by @chrishalbert, updated dependencies.
- Migrated to typescript and retooled build/test/deploy pipeline. Definitely typed.
- 100% test coverage which illuminated some idiosyncrasies; maybe we killed unobserved bugs, nobody knows.

- 2019-09-14 — **1.2.0**

- Merged new `.concat` function contributed by @vuwuv, updated dependencies.

- 2019-03-10 — **1.1.2**

- Updated packages to remove critical security concern among dev dependencies'

- 2020-07-10 — **1.3.0** **BREAKING CHANGES**
- **BREAKING CHANGE:** Global functions are now static functions on the `JsonPointer` type. See [_Where did the Global Functions Go?_](#user-content-where-did-the-global-functions-go)
- Merged new `.unset()` function contributed by @chrishalbert, updated dependencies.
- Migrated to typescript and retooled build/test/deploy pipeline. Definitely typed.
- 100% test coverage which illuminated some idiosyncrasies; maybe we killed unobserved bugs, nobody knows.
- 2016-07-26 — **1.0.1**

- 2019-09-14 — **1.2.0**
- Merged new `.concat` function contributed by @vuwuv, updated dependencies.
- Fixed a problem with the Babel configuration

- 2019-03-10 — **1.1.2**
- Updated packages to remove critical security concern among dev dependencies'
- 2016-01-12 — **1.0.0**

- 2016-07-26 — **1.0.1**
- Fixed a problem with the Babel configuration
- Rolled major version to 1 to reflect breaking change in `.list(obj, fragmentId)`.

- 2016-01-12 — **1.0.0**
- Rolled major version to 1 to reflect breaking change in `.list(obj, fragmentId)`.
- 2016-01-02 — **0.3.0**

- 2016-01-02 — **0.3.0**
- Retooled for node 4+
- Better compiled pointers
- Unrolled recursive `.list` function
- Added `.map` function
- Fully linted
- Lots more tests and examples.
- Documented many previously undocumented features.
- Retooled for node 4+
- Better compiled pointers
- Unrolled recursive `.list` function
- Added `.map` function
- Fully linted
- Lots more tests and examples.
- Documented many previously undocumented features.

- 2014-10-21 — **0.2.0** Added #list function to enumerate all properties in a graph, producing fragmentId/value pairs.
- 2014-10-21 — **0.2.0** Added #list function to enumerate all properties in a graph, producing fragmentId/value pairs.

## License

Expand Down
1 change: 1 addition & 0 deletions docs/.nojekyll
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TypeDoc added this file to prevent GitHub Pages from using Jekyll. You can turn off this behavior by setting the `githubPages` option to false.
Loading

0 comments on commit 91dede7

Please sign in to comment.