add ALLOW_JSONPATH_EVAL option to .env
Andrew Cantino
2 changed files with 10 additions and 2 deletions
+ 8
- 0
.env.example
@@ -78,6 +78,14 @@ AWS_ACCESS_KEY="your aws access key" |
||
| 78 | 78 |
# Set AWS_SANDBOX to true if you're developing Huginn code. |
| 79 | 79 |
AWS_SANDBOX=false |
| 80 | 80 |
|
| 81 |
+######################## |
|
| 82 |
+# Various Settings # |
|
| 83 |
+######################## |
|
| 84 |
+ |
|
| 85 |
+# Allow JSONPath eval expresions. i.e., $..price[?(@ < 20)] |
|
| 86 |
+# You should not allow this on a shared Huginn box because it is not secure. |
|
| 87 |
+ALLOW_JSONPATH_EVAL=false |
|
| 88 |
+ |
|
| 81 | 89 |
# Use Graphviz for generating diagrams instead of using Google Chart |
| 82 | 90 |
# Tools. Specify a dot(1) command path built with SVG support |
| 83 | 91 |
# enabled. |
+ 2
- 2
lib/utils.rb
@@ -56,7 +56,7 @@ module Utils |
||
| 56 | 56 |
escape = false |
| 57 | 57 |
end |
| 58 | 58 |
|
| 59 |
- result = JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json) |
|
| 59 |
+ result = JsonPath.new(path, :allow_eval => ENV['ALLOW_JSONPATH_EVAL'] == "true").on(data.is_a?(String) ? data : data.to_json) |
|
| 60 | 60 |
if escape |
| 61 | 61 |
result.map {|r| CGI::escape r }
|
| 62 | 62 |
else |
@@ -79,4 +79,4 @@ module Utils |
||
| 79 | 79 |
def self.pretty_jsonify(thing) |
| 80 | 80 |
JSON.pretty_generate(thing).gsub('</', '<\/')
|
| 81 | 81 |
end |
| 82 |
-end |
|
| 82 |
+end |