2.0.0, remove the 'method' operator

jwadhams · Nov 9, 2020 · fadfa5d · fadfa5d
1 parent 8b5e56b
commit fadfa5d
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 39 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,9 @@
+# Change Log
+
+## 2.0.0
+
+Major version bump because we're removing the `method` operation. The [NPM advisory 1542](https://www.npmjs.com/advisories/1542) shows that an attacker can supply a JsonLogic rule that will execute arbitrary code in the client of anyone who executes that rule with any data.
+
+## 1.2.3
+
+Cleaned up JsonLogic's behavior when the `data` parameter is not an object, especially when it's falsy. Resolves PRs [88](https://github.com/jwadhams/json-logic-js/pull/88) and [89](https://github.com/jwadhams/json-logic-js/pull/89), but more importantly makes the `var` operator more resilient.
diff --git a/logic.js b/logic.js
@@ -170,10 +170,6 @@ http://ricostacruz.com/cheatsheets/umdjs.html
         return are_missing;
       }
     },
-    "method": function(obj, method, args) {
-      return obj[method].apply(obj, args);
-    },
-
   };
 
   jsonLogic.is_logic = function(logic) {

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "json-logic-js",
-  "version": "1.2.3",
+  "version": "2.0.0",
   "description": "Build complex rules, serialize them as JSON, and execute them in JavaScript",
   "main": "logic.js",
   "directories": {

diff --git a/tests/tests.js b/tests/tests.js
@@ -204,40 +204,6 @@ QUnit.test( "Expanding functionality with add_operator", function( assert) {
 
 });
 
-QUnit.test( "Expanding functionality with method", function( assert) {
-  // Data contains a real object with methods and local state
-  var a = {
-    count: 0,
-    increment: function() {
-      return this.count += 1;
-    },
-    add: function(b) {
-      return this.count += b;
-    },
-  };
-
-  // Look up "a" in data, and run the increment method on it with no args.
-  assert.equal(
-    jsonLogic.apply(
-      {"method": [{"var": "a"}, "increment"]},
-      {"a": a}
-    ),
-    1 // Happy return value
-  );
-  assert.equal(a.count, 1); // Happy state change
-
-  // Run the add method with an argument
-  assert.equal(
-    jsonLogic.apply(
-      {"method": [{"var": "a"}, "add", [41]]},
-      {"a": a}
-    ),
-    42 // Happy return value
-  );
-  assert.equal(a.count, 42); // Happy state change
-});
-
-
 QUnit.test("Control structures don't eval depth-first", function(assert) {
   // Depth-first recursion was wasteful but not harmful until we added custom operations that could have side-effects.