add ALLOW_JSONPATH_EVAL option to .env

2025-03-15 19:31:26 +00:00 · 2014-04-18 00:25:31 -07:00 · 2014-04-18 00:25:31 -07:00 · 13038ce841
commit 13038ce841
parent c39d4cc975
2 changed files with 10 additions and 2 deletions
--- a/.env.example
+++ b/.env.example
@ -78,6 +78,14 @@ AWS_ACCESS_KEY="your aws access key"
 # Set AWS_SANDBOX to true if you're developing Huginn code.
 AWS_SANDBOX=false

+########################
+#   Various Settings   #
+########################
+
+# Allow JSONPath eval expresions. i.e., $..price[?(@ < 20)]
+# You should not allow this on a shared Huginn box because it is not secure.
+ALLOW_JSONPATH_EVAL=false
+
 # Use Graphviz for generating diagrams instead of using Google Chart
 # Tools.  Specify a dot(1) command path built with SVG support
 # enabled.
--- a/lib/utils.rb
+++ b/lib/utils.rb
@ -56,7 +56,7 @@ module Utils
      escape = false
    end

-    result = JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json)
+    result = JsonPath.new(path, :allow_eval => ENV['ALLOW_JSONPATH_EVAL'] == "true").on(data.is_a?(String) ? data : data.to_json)
    if escape
      result.map {|r| CGI::escape r }
    else
@ -79,4 +79,4 @@ module Utils
  def self.pretty_jsonify(thing)
    JSON.pretty_generate(thing).gsub('</', '<\/')
  end
-end
+end