json2cpp icon indicating copy to clipboard operation
json2cpp copied to clipboard
verified publisher icon lefticus

fix: validate the user inputs and add documentation for the CLI

Open aminya opened this issue 1 year ago • 4 comments

Fixes #16

aminya avatar May 06 '24 06:05 aminya

@lefticus Could you take a look at this? The user input verification is quite important in terms of security.

aminya avatar May 19 '24 06:05 aminya

@lefticus A kind reminder on this if you have missed it. These security issues are important.

aminya avatar Oct 01 '24 22:10 aminya

@aminya since invalid input would result in generated code that cannot compile, I'm curious how this qualifies as a security issue. Could you provide an example for how invalid input can generate code that compiles and is dangerous or in some way compromises the generator itself?

lefticus avatar Nov 01 '24 16:11 lefticus

@aminya since invalid input would result in generated code that cannot compile, I'm curious how this qualifies as a security issue. Could you provide an example for how invalid input can generate code that compiles and is dangerous or in some way compromises the generator itself?

Fortunately, the generated code does not seem to be affected. However, the json2cpp CLI itself still segfaults, and if in some situations it is exposed to receive user input, it can allow access to the memory.

This PR also solves the usability issue for developers. Previously, the failures were silent or could result in segfaults.

aminya avatar Nov 01 '24 20:11 aminya