From 52a1c1208a192d99cab38f4d95bca35349cb980d Mon Sep 17 00:00:00 2001 From: Andrew Cantino Date: Sun, 17 Mar 2013 23:25:59 -0700 Subject: [PATCH] Don't allow JSONPath eval --- lib/utils.rb | 2 +- spec/lib/utils_spec.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/utils.rb b/lib/utils.rb index 07ac4d6b..fc7a0d82 100644 --- a/lib/utils.rb +++ b/lib/utils.rb @@ -22,6 +22,6 @@ module Utils end def self.values_at(data, path) - JsonPath.new(path).on(data.is_a?(String) ? data : data.to_json) + JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json) end end \ No newline at end of file diff --git a/spec/lib/utils_spec.rb b/spec/lib/utils_spec.rb index 847be971..7cc5eda1 100644 --- a/spec/lib/utils_spec.rb +++ b/spec/lib/utils_spec.rb @@ -10,6 +10,12 @@ describe Utils do it "returns nil when the path cannot be followed" do Utils.value_at({ :foo => { :bar => :baz }}, "foo.bing").should be_nil end + + it "does not eval" do + lambda { + Utils.value_at({ :foo => 2 }, "foo[?(@ > 1)]") + }.should raise_error(RuntimeError, /Cannot use .*? eval/) + end end describe "#values_at" do