From 52a1c1208a192d99cab38f4d95bca35349cb980d Mon Sep 17 00:00:00 2001
From: Andrew Cantino <cantino@gmail.com>
Date: Sun, 17 Mar 2013 23:25:59 -0700
Subject: [PATCH] Don't allow JSONPath eval

---
 lib/utils.rb           | 2 +-
 spec/lib/utils_spec.rb | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/utils.rb b/lib/utils.rb
index 07ac4d6b..fc7a0d82 100644
--- a/lib/utils.rb
+++ b/lib/utils.rb
@@ -22,6 +22,6 @@ module Utils
   end
 
   def self.values_at(data, path)
-    JsonPath.new(path).on(data.is_a?(String) ? data : data.to_json)
+    JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json)
   end
 end
\ No newline at end of file
diff --git a/spec/lib/utils_spec.rb b/spec/lib/utils_spec.rb
index 847be971..7cc5eda1 100644
--- a/spec/lib/utils_spec.rb
+++ b/spec/lib/utils_spec.rb
@@ -10,6 +10,12 @@ describe Utils do
     it "returns nil when the path cannot be followed" do
       Utils.value_at({ :foo => { :bar => :baz }}, "foo.bing").should be_nil
     end
+
+    it "does not eval" do
+      lambda {
+        Utils.value_at({ :foo => 2 }, "foo[?(@ > 1)]")
+      }.should raise_error(RuntimeError, /Cannot use .*? eval/)
+    end
   end
 
   describe "#values_at" do