Don't allow JSONPath eval

huginn · Mar 18, 2013 · 52a1c12 · 52a1c12
1 parent 5ce20ce
commit 52a1c12
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/lib/utils.rb b/lib/utils.rb
@@ -22,6 +22,6 @@ def self.value_at(data, path)
   end
 
   def self.values_at(data, path)
-    JsonPath.new(path).on(data.is_a?(String) ? data : data.to_json)
+    JsonPath.new(path, :allow_eval => false).on(data.is_a?(String) ? data : data.to_json)
   end
 end
diff --git a/spec/lib/utils_spec.rb b/spec/lib/utils_spec.rb
@@ -10,6 +10,12 @@
     it "returns nil when the path cannot be followed" do
       Utils.value_at({ :foo => { :bar => :baz }}, "foo.bing").should be_nil
     end
+
+    it "does not eval" do
+      lambda {
+        Utils.value_at({ :foo => 2 }, "foo[?(@ > 1)]")
+      }.should raise_error(RuntimeError, /Cannot use .*? eval/)
+    end
   end
 
   describe "#values_at" do