Fix #1. Strict expression validation.

expression.js

@@ -0,0 +1,20 @@
+var acorn = require("acorn"),
+    path = require("path"),
+    vm = require("vm");
+
+module.exports = function(value, name) {
+  try {
+    var node = acorn.parse("(" + value + ")", {preserveParens: true});
+    if (node.type !== "Program") throw new Error("Expected program");
+    if (node.body.length !== 1) throw new Error("Invalid expression");
+    if (node.body[0].type !== "ExpressionStatement") throw new Error("Expected expression statement");
+    if (node.body[0].expression.type !== "ParenthesizedExpression") throw new Error("Expected expression");
+    return new vm.Script("(" + value + ")");
+  } catch (error) {
+    console.error(path.basename(process.argv[1]) + ":" + (name === undefined ? "expression" : name));
+    console.error(value);
+    console.error("^");
+    console.error("SyntaxError: " + error.message);
+    process.exit(1);
+  }
+};

ndjson-filter

@@ -2,6 +2,7 @@
 
 var readline = require("readline"),
     vm = require("vm"),
+    expression = require("./expression"),
     output = require("./output");
 
 if (process.argv.length !== 3) {
@@ -11,7 +12,7 @@ if (process.argv.length !== 3) {
 
 var i = -1,
     sandbox = {d: undefined, i: i},
-    filter = new vm.Script(process.argv[2]),
+    filter = expression(process.argv[2]),
     context = new vm.createContext(sandbox);
 
 readline.createInterface({

ndjson-map

@@ -2,6 +2,7 @@
 
 var readline = require("readline"),
     vm = require("vm"),
+    expression = require("./expression"),
     output = require("./output");
 
 if (process.argv.length !== 3) {
@@ -11,7 +12,7 @@ if (process.argv.length !== 3) {
 
 var i = -1,
     sandbox = {d: undefined, i: i},
-    map = new vm.Script(process.argv[2]),
+    map = expression(process.argv[2]),
     context = new vm.createContext(sandbox);
 
 readline.createInterface({

ndjson-reduce

@@ -2,6 +2,7 @@
 
 var readline = require("readline"),
     vm = require("vm"),
+    expression = require("./expression"),
     output = require("./output");
 
 if (process.argv.length < 3 || process.argv.length > 4) {
@@ -11,8 +12,8 @@ if (process.argv.length < 3 || process.argv.length > 4) {
 
 var i = -1,
     unset = process.argv.length < 4,
-    sandbox = {p: unset ? undefined : vm.runInNewContext(process.argv[3]), d: undefined, i: i},
-    reduce = new vm.Script(process.argv[2]),
+    sandbox = {p: unset ? undefined : expression(process.argv[3], "initial").runInNewContext(), d: undefined, i: i},
+    reduce = expression(process.argv[2]),
     context = new vm.createContext(sandbox);
 
 readline.createInterface({

ndjson-sort

@@ -2,6 +2,7 @@
 
 var readline = require("readline"),
     vm = require("vm"),
+    expression = require("./expression"),
     output = require("./output");
 
 if (process.argv.length !== 3) {
@@ -12,7 +13,7 @@ if (process.argv.length !== 3) {
 var i = -1,
     results = [],
     sandbox = {a: undefined, b: undefined},
-    compare = new vm.Script(process.argv[2]),
+    compare = expression(process.argv[2]),
     context = new vm.createContext(sandbox);
 
 readline.createInterface({

ndjson-split

@@ -2,6 +2,7 @@
 
 var readline = require("readline"),
     vm = require("vm"),
+    expression = require("./expression"),
     output = require("./output");
 
 if (process.argv.length !== 3) {
@@ -11,7 +12,7 @@ if (process.argv.length !== 3) {
 
 var i = -1,
     sandbox = {d: undefined, i: i},
-    map = new vm.Script(process.argv[2]),
+    map = expression(process.argv[2]),
     context = new vm.createContext(sandbox);
 
 readline.createInterface({

package.json

@@ -26,5 +26,8 @@
   },
   "scripts": {
     "postpublish": "git push && git push --tags"
+  },
+  "dependencies": {
+    "acorn": "4"
   }
 }