Don't allow JSONPath eval

2025-03-15 19:31:26 +00:00 · 2013-03-17 23:25:59 -07:00 · 2013-03-17 23:25:59 -07:00 · 52a1c1208a
commit 52a1c1208a
parent 5ce20ce43e
2 changed files with 7 additions and 1 deletions
--- a/lib/utils.rb
+++ b/lib/utils.rb
@ -22,6 +22,6 @@ module Utils
  end

  def self.values_at(data, path)
-    JsonPath.new(path).on(data.is_a?(String) ? data : data.to_json)
+    JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json)
  end
 end
--- a/spec/lib/utils_spec.rb
+++ b/spec/lib/utils_spec.rb
@ -10,6 +10,12 @@ describe Utils do
    it "returns nil when the path cannot be followed" do
      Utils.value_at({ :foo => { :bar => :baz }}, "foo.bing").should be_nil
    end
+
+    it "does not eval" do
+      lambda {
+        Utils.value_at({ :foo => 2 }, "foo[?(@ > 1)]")
+      }.should raise_error(RuntimeError, /Cannot use .*? eval/)
+    end
  end

  describe "#values_at" do