Merge pull request #2017 from Skarlso/eliminated_eval_from_jsonpath

Update JsonPath to latest version.
2025-03-15 19:31:26 +00:00 · 2017-06-06 19:21:07 +02:00 · 2017-06-06 19:21:07 +02:00 · 154c058729
commit 154c058729
parent fe36ce1166 4e37fdb743
5 changed files with 5 additions and 14 deletions
--- a/.env.example
+++ b/.env.example
@ -195,10 +195,6 @@ FARADAY_HTTP_BACKEND=typhoeus
 # by Agents that allow overriding the User-Agent header value.
 DEFAULT_HTTP_USER_AGENT="Huginn - https://github.com/cantino/huginn"

-# Allow JSONPath eval expresions. i.e., $..price[?(@ < 20)]
-# You should not allow this on a shared Huginn box because it is not secure.
-ALLOW_JSONPATH_EVAL=false
-
 # Enable this setting to allow insecure Agents like the ShellCommandAgent.  Only do this
 # when you trust everyone using your Huginn installation.
 ENABLE_INSECURE_AGENTS=false
--- a/2
+++ b/2
@ -108,7 +108,7 @@ gem 'httmultiparty', '~> 0.3.16'
 gem 'jquery-rails', '~> 4.2.1'
 gem 'huginn_agent', '~> 0.4.0'
 gem 'json', '~> 1.8.1'
-gem 'jsonpath', '~> 0.7.2'
+gem 'jsonpath', '~> 0.8.3'
 gem 'kaminari', github: "amatsuda/kaminari", branch: '0-17-stable', ref: 'abbf93d557208ee1d0b612c612cd079f86ed54f4'
 gem 'kramdown', '~> 1.3.3'
 gem 'liquid', '~> 4.0'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -324,7 +324,7 @@ GEM
      railties (>= 4.2.0)
      thor (>= 0.14, < 2.0)
    json (1.8.6)
-    jsonpath (0.7.2)
+    jsonpath (0.8.3)
      multi_json
    jwt (1.4.1)
    kgio (2.10.0)
@ -659,7 +659,7 @@ DEPENDENCIES
  hypdf (~> 1.0.10)
  jquery-rails (~> 4.2.1)
  json (~> 1.8.1)
-  jsonpath (~> 0.7.2)
+  jsonpath (~> 0.8.3)
  kaminari!
  kramdown (~> 1.3.3)
  letter_opener_web (~> 1.3.1)
--- a/lib/utils.rb
+++ b/lib/utils.rb
@ -87,7 +87,7 @@ module Utils
      escape = false
    end

-    result = JsonPath.new(path, :allow_eval => ENV['ALLOW_JSONPATH_EVAL'] == "true").on(data.is_a?(String) ? data : data.to_json)
+    result = JsonPath.new(path).on(data.is_a?(String) ? data : data.to_json)
    if escape
      result.map {|r| CGI::escape r }
    else
--- a/spec/lib/utils_spec.rb
+++ b/spec/lib/utils_spec.rb
@ -68,17 +68,12 @@ describe Utils do
    it "returns the value at a JSON path" do
      expect(Utils.value_at({ :foo => { :bar => :baz }}.to_json, "foo.bar")).to eq("baz")
      expect(Utils.value_at({ :foo => { :bar => { :bing => 2 } }}, "foo.bar.bing")).to eq(2)
+      expect(Utils.value_at({ :foo => { :bar => { :bing => 2 } }}, "foo.bar[?(@.bing == 2)].bing")).to eq(2)
    end

    it "returns nil when the path cannot be followed" do
      expect(Utils.value_at({ :foo => { :bar => :baz }}, "foo.bing")).to be_nil
    end
-
-    it "does not eval" do
-      expect {
-        Utils.value_at({ :foo => 2 }, "foo[?(@ > 1)]")
-      }.to raise_error(RuntimeError, /Cannot use .*? eval/)
-    end
  end

  describe "#values_at" do