Skip to content

Commit

Permalink
fix: remove overly aggressive disabling of native functions but disal…
Browse files Browse the repository at this point in the history 
…low `__proto__`
  • Loading branch information
@brettz9
brettz9 committed Oct 18, 2024
1 parent 30194c7 commit 98a6b22
Show file tree
Hide file tree
Showing 12 changed files with 26 additions and 21 deletions.
5 changes: 5 additions & 0 deletions CHANGES.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# CHANGES for jsonpath-plus

## 10.0.5

- fix: remove overly aggressive disabling of native functions but
disallow `__proto__`

## 10.0.4

- fix(security): further prevent binding of Function calls which may evade detection
Expand Down
2 changes: 1 addition & 1 deletion badges/coverage-badge.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 3 additions & 3 deletions dist/index-browser-esm.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1325,16 +1325,16 @@ const SafeEval = {
if (func === Function) {
throw new Error('Function constructor is disabled');
}
if (func.toString() === 'function () { [native code] }') {
throw new Error('Native functions are disabled');
}
return func(...args);
},
evalAssignmentExpression(ast, subs) {
if (ast.left.type !== 'Identifier') {
throw SyntaxError('Invalid left-hand side in assignment');
}
const id = ast.left.name;
if (id === '__proto__') {
throw new Error('Assignment to __proto__ is disabled');
}
const value = SafeEval.evalAst(ast.right, subs);
subs[id] = value;
return subs[id];
Expand Down
2 changes: 1 addition & 1 deletion dist/index-browser-esm.min.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/index-browser-esm.min.js.map
View file

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions dist/index-browser-umd.cjs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1331,16 +1331,16 @@
if (func === Function) {
throw new Error('Function constructor is disabled');
}
if (func.toString() === 'function () { [native code] }') {
throw new Error('Native functions are disabled');
}
return func(...args);
},
evalAssignmentExpression(ast, subs) {
if (ast.left.type !== 'Identifier') {
throw SyntaxError('Invalid left-hand side in assignment');
}
const id = ast.left.name;
if (id === '__proto__') {
throw new Error('Assignment to __proto__ is disabled');
}
const value = SafeEval.evalAst(ast.right, subs);
subs[id] = value;
return subs[id];
Expand Down
2 changes: 1 addition & 1 deletion dist/index-browser-umd.min.cjs
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/index-browser-umd.min.cjs.map
View file

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions dist/index-node-cjs.cjs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1326,16 +1326,16 @@ const SafeEval = {
if (func === Function) {
throw new Error('Function constructor is disabled');
}
if (func.toString() === 'function () { [native code] }') {
throw new Error('Native functions are disabled');
}
return func(...args);
},
evalAssignmentExpression(ast, subs) {
if (ast.left.type !== 'Identifier') {
throw SyntaxError('Invalid left-hand side in assignment');
}
const id = ast.left.name;
if (id === '__proto__') {
throw new Error('Assignment to __proto__ is disabled');
}
const value = SafeEval.evalAst(ast.right, subs);
subs[id] = value;
return subs[id];
Expand Down
6 changes: 3 additions & 3 deletions dist/index-node-esm.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1324,16 +1324,16 @@ const SafeEval = {
if (func === Function) {
throw new Error('Function constructor is disabled');
}
if (func.toString() === 'function () { [native code] }') {
throw new Error('Native functions are disabled');
}
return func(...args);
},
evalAssignmentExpression(ast, subs) {
if (ast.left.type !== 'Identifier') {
throw SyntaxError('Invalid left-hand side in assignment');
}
const id = ast.left.name;
if (id === '__proto__') {
throw new Error('Assignment to __proto__ is disabled');
}
const value = SafeEval.evalAst(ast.right, subs);
subs[id] = value;
return subs[id];
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"author": "Stefan Goessner",
"name": "jsonpath-plus",
"version": "10.0.4",
"version": "10.0.5",
"type": "module",
"bin": {
"jsonpath": "./bin/jsonpath-cli.js",
Expand Down
6 changes: 3 additions & 3 deletions src/Safe-Script.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,16 +140,16 @@ const SafeEval = {
if (func === Function) {
throw new Error('Function constructor is disabled');
}
if (func.toString() === 'function () { [native code] }') {
throw new Error('Native functions are disabled');
}
return func(...args);
},
evalAssignmentExpression (ast, subs) {
if (ast.left.type !== 'Identifier') {
throw SyntaxError('Invalid left-hand side in assignment');
}
const id = ast.left.name;
if (id === '__proto__') {
throw new Error('Assignment to __proto__ is disabled');
}
const value = SafeEval.evalAst(ast.right, subs);
subs[id] = value;
return subs[id];
Expand Down

0 comments on commit 98a6b22

Please sign in to comment.