Don't allow JSONPath eval
Andrew Cantino
共有 2 个文件被更改,包括 7 次插入 和 1 次删除
+ 1
- 1
lib/utils.rb
@@ -22,6 +22,6 @@ module Utils |
||
| 22 | 22 |
end |
| 23 | 23 |
|
| 24 | 24 |
def self.values_at(data, path) |
| 25 |
- JsonPath.new(path).on(data.is_a?(String) ? data : data.to_json) |
|
| 25 |
+ JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json) |
|
| 26 | 26 |
end |
| 27 | 27 |
end |
+ 6
- 0
spec/lib/utils_spec.rb
@@ -10,6 +10,12 @@ describe Utils do |
||
| 10 | 10 |
it "returns nil when the path cannot be followed" do |
| 11 | 11 |
Utils.value_at({ :foo => { :bar => :baz }}, "foo.bing").should be_nil
|
| 12 | 12 |
end |
| 13 |
+ |
|
| 14 |
+ it "does not eval" do |
|
| 15 |
+ lambda {
|
|
| 16 |
+ Utils.value_at({ :foo => 2 }, "foo[?(@ > 1)]")
|
|
| 17 |
+ }.should raise_error(RuntimeError, /Cannot use .*? eval/) |
|
| 18 |
+ end |
|
| 13 | 19 |
end |
| 14 | 20 |
|
| 15 | 21 |
describe "#values_at" do |