Skip to content

Commit

Permalink
fix(security): prohibit Function in "safe" vm; fixes #226
Browse files Browse the repository at this point in the history
  • Loading branch information
@brettz9
brettz9 committed Oct 16, 2024
1 parent a04dcba commit 0bf1665
Show file tree
Hide file tree
Showing 11 changed files with 24 additions and 5 deletions.
4 changes: 4 additions & 0 deletions CHANGES.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# CHANGES for jsonpath-plus

## 10.0.1

- fix(security): prohibit `Function` in "safe" vm

## 10.0.0

BREAKING CHANGES:
Expand Down
3 changes: 3 additions & 0 deletions dist/index-browser-esm.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1296,6 +1296,9 @@ const SafeEval = {
const obj = SafeEval.evalAst(ast.object, subs);
const result = obj[prop];
if (typeof result === 'function') {
if (result === Function) {
throw new Error('Function constructor is disabled');
}
return result.bind(obj); // arrow functions aren't affected by bind.
}
return result;
Expand Down
2 changes: 1 addition & 1 deletion dist/index-browser-esm.min.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/index-browser-esm.min.js.map
View file

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions dist/index-browser-umd.cjs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1302,6 +1302,9 @@
const obj = SafeEval.evalAst(ast.object, subs);
const result = obj[prop];
if (typeof result === 'function') {
if (result === Function) {
throw new Error('Function constructor is disabled');
}
return result.bind(obj); // arrow functions aren't affected by bind.
}
return result;
Expand Down
2 changes: 1 addition & 1 deletion dist/index-browser-umd.min.cjs
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/index-browser-umd.min.cjs.map
View file

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions dist/index-node-cjs.cjs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1297,6 +1297,9 @@ const SafeEval = {
const obj = SafeEval.evalAst(ast.object, subs);
const result = obj[prop];
if (typeof result === 'function') {
if (result === Function) {
throw new Error('Function constructor is disabled');
}
return result.bind(obj); // arrow functions aren't affected by bind.
}
return result;
Expand Down
3 changes: 3 additions & 0 deletions dist/index-node-esm.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1295,6 +1295,9 @@ const SafeEval = {
const obj = SafeEval.evalAst(ast.object, subs);
const result = obj[prop];
if (typeof result === 'function') {
if (result === Function) {
throw new Error('Function constructor is disabled');
}
return result.bind(obj); // arrow functions aren't affected by bind.
}
return result;
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"author": "Stefan Goessner",
"name": "jsonpath-plus",
"version": "10.0.0",
"version": "10.0.1",
"type": "module",
"bin": {
"jsonpath": "./bin/jsonpath-cli.js",
Expand Down
3 changes: 3 additions & 0 deletions src/Safe-Script.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,9 @@ const SafeEval = {
const obj = SafeEval.evalAst(ast.object, subs);
const result = obj[prop];
if (typeof result === 'function') {
if (result === Function) {
throw new Error('Function constructor is disabled');
}
return result.bind(obj); // arrow functions aren't affected by bind.
}
return result;
Expand Down

0 comments on commit 0bf1665

Please sign in to comment.