JavascriptFunctionDefinition` "looks-like-JSON" heuristic enables JS injection in the polyglot engine

[ruispereira]

Affected version: 26.4.2 (confirmed still present in 26.5.1)
Component: com.arcadedb.function.polyglot.JavascriptFunctionDefinition

Summary

The function string-concatenates user-controlled arguments into JavaScript source, then calls polyglotEngine.eval(...). A heuristic skips escaping when the value "looks like JSON" — i.e., opens with {/[ and closes with }/]. Any caller able to influence such a string argument can inject arbitrary JavaScript.

Code

engine/com/arcadedb/function/polyglot/JavascriptFunctionDefinition.java:123–129

final boolean looksLikeJson =
    (trimmed.startsWith("{") && trimmed.endsWith("}") && trimmed.length() > 2 && trimmed.contains(":")) ||
    (trimmed.startsWith("[") && trimmed.endsWith("]") && trimmed.length() > 2);
final boolean alreadyQuoted =
    (trimmed.startsWith("'") && trimmed.endsWith("'") && trimmed.length() > 1);

if (looksLikeJson || alreadyQuoted) {
  // Pass through as-is for JSON-like objects/arrays or already-quoted strings
  return str;
}

Impact

Arbitrary JavaScript execution inside the polyglot engine, e.g. {a:require('child_process').execSync('id'),b:1}. Defeats every sandbox
boundary the engine attempts.

Suggested fix

Always JSON-encode (or JS-string-escape) the value. If structured data must pass through, marshal as ProxyObject / ProxyArray and bind it as a Value parameter — never via source concatenation.