Permalink
Browse files

Don't allow JSONPath eval

  • Loading branch information...
1 parent 5ce20ce commit 52a1c1208a192d99cab38f4d95bca35349cb980d @cantino committed Mar 18, 2013
Showing with 7 additions and 1 deletion.
  1. +1 −1 lib/utils.rb
  2. +6 −0 spec/lib/utils_spec.rb
View
@@ -22,6 +22,6 @@ def self.value_at(data, path)
end
def self.values_at(data, path)
- JsonPath.new(path).on(data.is_a?(String) ? data : data.to_json)
+ JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json)
end
end
View
@@ -10,6 +10,12 @@
it "returns nil when the path cannot be followed" do
Utils.value_at({ :foo => { :bar => :baz }}, "foo.bing").should be_nil
end
+
+ it "does not eval" do
+ lambda {
+ Utils.value_at({ :foo => 2 }, "foo[?(@ > 1)]")
+ }.should raise_error(RuntimeError, /Cannot use .*? eval/)
+ end
end
describe "#values_at" do

0 comments on commit 52a1c12

Please sign in to comment.