**secruity**: prevent eval by default in jsonpath-plus dependency (#354)

* added tests for jsonpath

* spellcheck fix

* docs update

* update plugin dependency version

Author: yesoreyeram

CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## 1.3.6 (2023-05-30)
+
+- **Chore**: Docs update
+
+## 1.3.5 (2023-04-05)
+
+- **Security**: Recently, A third party researcher (Alessio Della Libera of **Snyk Research Team**) discovered and privately disclosed to us a stored XSS vulnerability in the Grafana-maintained `marcusolsson-json-datasource` plugin also known as “JSON API plugin” .
+
+Users with the editor role could perform a stored XSS attack against other viewers, editors, and administrators by including a specially crafted javascript statement in the `field` extractor in queries to the marcusolsson-json-datasource plugin. This resulted in XSS against anyone viewing a panel configured to query the datasource with a malicious query.
+
+This vulnerability worked because the `marcusolsson-json-datasource` plugin uses the `jsonpath-plus` library to evaluate editor-supplied jsonpath expressions. In its default configuration (which we used), this library is an XSS vector, as the JSONPath spec allows for embedded subexpressions, which `jsonpath-plus` implements as arbitrary javascript expressions.
+
+In order to mitigate this vulnerability, we now supply a configuration parameter to `jsonpath-plus` which forbids the evaluation of subexpressions; it is important to note that this change may **break** existing JSONPath queries that rely on filter or eval expressions.
+
+If your dashboards currently rely on JSONPath queries containing subexpressions, there are a few potential migration paths:
+
+1. For simple queries that use subexpressions for indexing/slicing, it may be possible to rewrite the query without a subexpressions for instance `[(@.length-1)]` can also be represented as `[:-1]`.
+2. For more complex queries, we suggest switching to the [`jsonata` language](http://docs.jsonata.org/simple), which the plugin also supports. This language has similar features to JSONPath, including support for filter expressions (called “predicates” in the documentation).
+3. If changing your existing queries isn’t feasible, the community plugin [“Infinity”](https://grafana.com/grafana/plugins/yesoreyeram-infinity-datasource/) supports JSONPath expressions, including filters and subexpressions if used with the `backend` parser option. Please note that Infinity is community supported plugin.
+
+## 1.3.4 (2023-04-04)
+
+- **Chore**: docs update
+
 ## 1.3.3 (2023-03-20)
 
 - **Chore**: dependencies update

cspell.config.json

@@ -3,6 +3,8 @@
     "./node_modules/",
     "./.github/",
     "./dist/",
+    "coverage",
+    "./src/**/*.test.ts",
     "./website/src/css",
     "./website/*.js",
     "./website/.docusaurus/",
@@ -11,6 +13,7 @@
     "docker-compose.yaml"
   ],
   "words": [
+    "Alessio",
     "amng",
     "clsx",
     "datasource",
@@ -20,9 +23,12 @@
     "jsonata",
     "jsonplaceholder",
     "Kensington",
+    "Libera",
     "marcusolsson",
     "Olsson",
     "rejohnst",
+    "Snyk",
+    "subexpressions",
     "testdata",
     "Timestmap",
     "Totalus",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "grafana-json-datasource",
-  "version": "1.3.3",
+  "version": "1.3.6",
   "description": "A data source plugin for loading JSON APIs into Grafana",
   "keywords": [
     "grafana",

src/datasource.ts

@@ -14,6 +14,7 @@ import {
 import { getTemplateSrv } from '@grafana/runtime';
 import jsonata from 'jsonata';
 import { JSONPath } from 'jsonpath-plus';
+import { jp } from './jsonpath';
 import _ from 'lodash';
 import API from './api';
 import { detectFieldType } from './detectFieldType';
@@ -173,7 +174,7 @@ export class JsonDataSource extends DataSourceApi<JsonApiQuery, JsonApiDataSourc
             };
           default:
             const path = replaceWithVars(field.jsonPath);
-            const values = JSONPath({ path, json });
+            const values = jp({ path, json });
 
             // Get the path for automatic setting of the field name.
             //
@@ -244,9 +245,11 @@ export class JsonDataSource extends DataSourceApi<JsonApiQuery, JsonApiDataSourc
   }
 }
 
-const replace = (scopedVars?: any, range?: TimeRange) => (str: string): string => {
-  return replaceMacros(getTemplateSrv().replace(str, scopedVars), range);
-};
+const replace =
+  (scopedVars?: any, range?: TimeRange) =>
+  (str: string): string => {
+    return replaceMacros(getTemplateSrv().replace(str, scopedVars), range);
+  };
 
 // replaceMacros substitutes all available macros with their current value.
 export const replaceMacros = (str: string, range?: TimeRange) => {

src/jsonpath.test.ts

@@ -0,0 +1,75 @@
+import { jp } from './jsonpath';
+
+describe('jsonpath test', () => {
+  it('sanity test 1', async () => {
+    const result = jp({
+      json: [
+        { name: 'foo', age: 30 },
+        { name: 'bar', age: 17 },
+      ],
+      path: '$.*.name',
+    });
+    expect(result).toStrictEqual(['foo', 'bar']);
+  });
+  it('sanity test 2', async () => {
+    const result = jp({
+      json: [
+        { name: 'foo', age: 30 },
+        { name: 'bar', age: 17 },
+      ],
+      path: '$.0.name',
+    });
+    expect(result).toStrictEqual(['foo']);
+  });
+  it('sanity test 3', async () => {
+    const json = {
+      store: {
+        book: [
+          {
+            category: 'reference',
+            author: 'Nigel Rees',
+            title: 'Sayings of the Century',
+            price: 8.95,
+          },
+          {
+            category: 'fiction',
+            author: 'Evelyn Waugh',
+            title: 'Sword of Honour',
+            price: 12.99,
+          },
+          {
+            category: 'fiction',
+            author: 'Herman Melville',
+            title: 'Moby Dick',
+            isbn: '0-553-21311-3',
+            price: 8.99,
+          },
+          {
+            category: 'fiction',
+            author: 'J. R. R. Tolkien',
+            title: 'The Lord of the Rings',
+            isbn: '0-395-19395-8',
+            price: 22.99,
+          },
+        ],
+        bicycle: {
+          color: 'red',
+          price: 19.95,
+        },
+      },
+      expensive: 10,
+    };
+    expect(jp({ json, path: '$.store.book.length' })).toStrictEqual([4]);
+  });
+  it('sanity test 4', () => {
+    expect(() => {
+      jp({
+        json: [
+          { name: 'foo', age: 30 },
+          { name: 'bar', age: 17 },
+        ],
+        path: `$..[?(@property !== this.constructor.constructor("alert('foo')")();)]`,
+      });
+    }).toThrow();
+  });
+});

src/jsonpath.ts

@@ -0,0 +1,8 @@
+import { JSONPath, JSONPathOptions } from 'jsonpath-plus';
+
+export function jp(options: JSONPathOptions): any {
+  return JSONPath({
+    ...options,
+    preventEval: true,
+  });
+}

src/plugin.json

@@ -39,8 +39,8 @@
     "updated": "%TODAY%"
   },
   "dependencies": {
-    "grafanaDependency": ">=7.3.0",
-    "grafanaVersion": "7.3.0",
+    "grafanaDependency": ">=8.5.13",
+    "grafanaVersion": "8.5.x",
     "plugins": []
   }
 }

src/suggestions.ts

@@ -1,5 +1,5 @@
 import { TypeaheadInput, TypeaheadOutput } from '@grafana/ui';
-import { JSONPath } from 'jsonpath-plus';
+import { jp } from './jsonpath';
 
 /**
  * onSuggest returns suggestions for the current JSON Path and cursor position.
@@ -83,7 +83,7 @@ export const onSuggest = async (input: TypeaheadInput, onData: () => Promise<any
   // Get the actual JSON for parsing.
   const response = await onData();
 
-  const values = JSONPath({ path, json: response });
+  const values = jp({ path, json: response });
 
   // Don't attempt to suggest if this is a leaf node, e.g. strings, numbers, and booleans.
   if (typeof values[0] !== 'object') {