fix(security): prevent call/apply invocation of Function

JSONPath-Plus · Oct 18, 2024 · 763ada0 · 763ada0
1 parent 98a6b22
commit 763ada0
Show file tree

Hide file tree

Showing 12 changed files with 28 additions and 6 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,9 @@
 # CHANGES for jsonpath-plus
 
+## 10.0.6
+
+- fix(security): prevent `call`/`apply` invocation of `Function`
+
 ## 10.0.5
 
 - fix: remove overly aggressive disabling of native functions but

diff --git a/badges/coverage-badge.svg b/badges/coverage-badge.svg
diff --git a/dist/index-browser-esm.js b/dist/index-browser-esm.js
@@ -1299,6 +1299,9 @@ const SafeEval = {
       if (obj === Function && prop === 'bind') {
         throw new Error('Function.prototype.bind is disabled');
       }
+      if (obj === Function && (prop === 'call' || prop === 'apply')) {
+        throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');
+      }
       if (result === Function) {
         return result; // Don't bind so can identify and throw later
       }

diff --git a/dist/index-browser-esm.min.js b/dist/index-browser-esm.min.js
diff --git a/dist/index-browser-esm.min.js.map b/dist/index-browser-esm.min.js.map
diff --git a/dist/index-browser-umd.cjs b/dist/index-browser-umd.cjs
@@ -1305,6 +1305,9 @@
 	      if (obj === Function && prop === 'bind') {
 	        throw new Error('Function.prototype.bind is disabled');
 	      }
+	      if (obj === Function && (prop === 'call' || prop === 'apply')) {
+	        throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');
+	      }
 	      if (result === Function) {
 	        return result; // Don't bind so can identify and throw later
 	      }

diff --git a/dist/index-browser-umd.min.cjs b/dist/index-browser-umd.min.cjs
diff --git a/dist/index-browser-umd.min.cjs.map b/dist/index-browser-umd.min.cjs.map
diff --git a/dist/index-node-cjs.cjs b/dist/index-node-cjs.cjs
@@ -1300,6 +1300,9 @@ const SafeEval = {
       if (obj === Function && prop === 'bind') {
         throw new Error('Function.prototype.bind is disabled');
       }
+      if (obj === Function && (prop === 'call' || prop === 'apply')) {
+        throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');
+      }
       if (result === Function) {
         return result; // Don't bind so can identify and throw later
       }

diff --git a/dist/index-node-esm.js b/dist/index-node-esm.js
@@ -1298,6 +1298,9 @@ const SafeEval = {
       if (obj === Function && prop === 'bind') {
         throw new Error('Function.prototype.bind is disabled');
       }
+      if (obj === Function && (prop === 'call' || prop === 'apply')) {
+        throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');
+      }
       if (result === Function) {
         return result; // Don't bind so can identify and throw later
       }

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "author": "Stefan Goessner",
   "name": "jsonpath-plus",
-  "version": "10.0.5",
+  "version": "10.0.6",
   "type": "module",
   "bin": {
     "jsonpath": "./bin/jsonpath-cli.js",

diff --git a/src/Safe-Script.js b/src/Safe-Script.js
@@ -114,6 +114,12 @@ const SafeEval = {
             if (obj === Function && prop === 'bind') {
                 throw new Error('Function.prototype.bind is disabled');
             }
+            if (obj === Function && (prop === 'call' || prop === 'apply')) {
+                throw new Error(
+                    'Function.prototype.call and ' +
+                    'Function.prototype.apply are disabled'
+                );
+            }
             if (result === Function) {
                 return result; // Don't bind so can identify and throw later
             }