fix(security): further prevent binding of Function calls which may ev…

…ade detection
JSONPath-Plus · Oct 17, 2024 · 30194c7 · 30194c7
1 parent eac48fe
commit 30194c7
Show file tree

Hide file tree

Showing 11 changed files with 24 additions and 5 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,9 @@
 # CHANGES for jsonpath-plus
 
+## 10.0.4
+
+- fix(security): further prevent binding of Function calls which may evade detection
+
 ## 10.0.3
 
 - fix(security): prevent binding of Function calls which may evade detection

diff --git a/dist/index-browser-esm.js b/dist/index-browser-esm.js
@@ -1325,6 +1325,9 @@ const SafeEval = {
     if (func === Function) {
       throw new Error('Function constructor is disabled');
     }
+    if (func.toString() === 'function () { [native code] }') {
+      throw new Error('Native functions are disabled');
+    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {

diff --git a/dist/index-browser-esm.min.js b/dist/index-browser-esm.min.js
diff --git a/dist/index-browser-esm.min.js.map b/dist/index-browser-esm.min.js.map
diff --git a/dist/index-browser-umd.cjs b/dist/index-browser-umd.cjs
@@ -1331,6 +1331,9 @@
 	    if (func === Function) {
 	      throw new Error('Function constructor is disabled');
 	    }
+	    if (func.toString() === 'function () { [native code] }') {
+	      throw new Error('Native functions are disabled');
+	    }
 	    return func(...args);
 	  },
 	  evalAssignmentExpression(ast, subs) {

diff --git a/dist/index-browser-umd.min.cjs b/dist/index-browser-umd.min.cjs
diff --git a/dist/index-browser-umd.min.cjs.map b/dist/index-browser-umd.min.cjs.map
diff --git a/dist/index-node-cjs.cjs b/dist/index-node-cjs.cjs
@@ -1326,6 +1326,9 @@ const SafeEval = {
     if (func === Function) {
       throw new Error('Function constructor is disabled');
     }
+    if (func.toString() === 'function () { [native code] }') {
+      throw new Error('Native functions are disabled');
+    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {

diff --git a/dist/index-node-esm.js b/dist/index-node-esm.js
@@ -1324,6 +1324,9 @@ const SafeEval = {
     if (func === Function) {
       throw new Error('Function constructor is disabled');
     }
+    if (func.toString() === 'function () { [native code] }') {
+      throw new Error('Native functions are disabled');
+    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "author": "Stefan Goessner",
   "name": "jsonpath-plus",
-  "version": "10.0.3",
+  "version": "10.0.4",
   "type": "module",
   "bin": {
     "jsonpath": "./bin/jsonpath-cli.js",

diff --git a/src/Safe-Script.js b/src/Safe-Script.js
@@ -140,6 +140,9 @@ const SafeEval = {
         if (func === Function) {
             throw new Error('Function constructor is disabled');
         }
+        if (func.toString() === 'function () { [native code] }') {
+            throw new Error('Native functions are disabled');
+        }
         return func(...args);
     },
     evalAssignmentExpression (ast, subs) {