Don't allow JSONPath eval

This commit is contained in:
Andrew Cantino 2013-03-17 23:25:59 -07:00
parent 5ce20ce43e
commit 52a1c1208a
2 changed files with 7 additions and 1 deletions

View file

@ -22,6 +22,6 @@ module Utils
end
def self.values_at(data, path)
JsonPath.new(path).on(data.is_a?(String) ? data : data.to_json)
JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json)
end
end

View file

@ -10,6 +10,12 @@ describe Utils do
it "returns nil when the path cannot be followed" do
Utils.value_at({ :foo => { :bar => :baz }}, "foo.bing").should be_nil
end
it "does not eval" do
lambda {
Utils.value_at({ :foo => 2 }, "foo[?(@ > 1)]")
}.should raise_error(RuntimeError, /Cannot use .*? eval/)
end
end
describe "#values_at" do