Stricter JSON parsing, for security

2 files changed, 18 insertions, 1 deletions

diff --git a/src/parser.js b/src/parser.js
index fec23899..47b23e7e 100644
--- a/src/parser.js
+++ b/src/parser.js
@@ -42,12 +42,17 @@ function lex(text, parseStringsForObjects){
       readNumber();
     } else if (isIdent(ch)) {
       readIdent();
+      // identifiers can only be if the preceding char was a { or ,
       if (was('{,') && json[0]=='{' &&
          (token=tokens[tokens.length-1])) {
         token.json = token.text.indexOf('.') == -1;
       }
     } else if (is('(){}[].,;:')) {
-      tokens.push({index:index, text:ch, json:is('{}[]:,')});
+      tokens.push({
+        index:index, 
+        text:ch, 
+        json:(was(':[,') && is('{[')) || is('}]:,')
+      });
       if (is('{[')) json.unshift(ch);
       if (is('}]')) json.shift();
       index++;
diff --git a/test/JsonSpec.js b/test/JsonSpec.js
index f0019bef..ba3366e5 100644
--- a/test/JsonSpec.js
+++ b/test/JsonSpec.js
@@ -151,6 +151,18 @@ describe('json', function(){
       expect(function(){fromJson('[].constructor');}).
         toThrow(new Error("Parse Error: Token '.' is not valid json at column 3 of expression [[].constructor] starting at [.constructor]."));
     });
+    
+    it('should not allow object dereference', function(){
+      expect(function(){fromJson('{a:1, b: $location, c:1}');}).toThrow();
+      expect(function(){fromJson("{a:1, b:[1]['__parent__']['location'], c:1}");}).toThrow();
+    });
+    
+    it('should not allow assignments', function(){
+      expect(function(){fromJson("{a:1, b:[1]=1, c:1}");}).toThrow();
+      expect(function(){fromJson("{a:1, b:=1, c:1}");}).toThrow();
+      expect(function(){fromJson("{a:1, b:x=1, c:1}");}).toThrow();
+    });
+    
   });
 
 });