search

JSONPath-Plus / JSONPath

A fork of JSONPath from http://goessner.net/articles/JsonPath/
Other
970 stars 175 forks source link

In version 10.0.0 or 10.0.1, the use of 'typeof' and 'undefined' in filter throws error #229

Closed 3-14r closed 1 day ago

3-14r commented 3 days ago

Describe the bug

Using the operator typeof or the value undefined in filter throws an exception in version 10.0.0 It was not the case in version 7.2.0

Code sample or steps to reproduce

const json = [
  { name: 'one', value: 'abc' },
  { name: 'two', value: 'skip.abc' },
  { name: 'three', value: { a: 'abc' } },
  { name: 'four' }
];
// First case "typeof "
let path = "$[?(typeof @.value === 'string' && !@.value.startsWith('skip.'))].name";
let result = JSONPath({ path, json }); // fails "typeof is not defined"
// Second case "undefined"
path = "$[?(@.value === undefined)].name";
result = JSONPath({ path, json }); // fails "undefined is not defined"

Console error or logs

in first case: Error: jsonPath: typeof is not defined: typeof @.value === 'string' && !@.value.startsWith('skip.')

in second case: Error: jsonPath: undefined is not defined: @.value === undefined

Expected behavior

To not throw exception

Expected result

// in first case
result == ['one']
// in second case
result == ['four']

Environment (IMPORTANT)

Desktop**

Additional context

none

brettz9 commented 3 days ago

This is due to the fact that the safe evaluator is now the default (to avoid vulnerabilities in Node's vm), and the safe evaluator does not currently support these language features. @80avin : any plans to add support?

If you need the old behavior and are not using untrusted user data in the likes of building your paths, you should be able to set the eval: 'native' option.

80avin commented 3 days ago

@brettz9 I've added typeof operator in https://github.com/JSONPath-Plus/JSONPath/pull/231

Just realized that I have to add undefined, null and other literals also.

Maybe instanceof operator also which will then require Number, String, etc classes.

brettz9 commented 2 days ago

@80avin Although we may have mitigated this sufficiently already by prohibiting constructor access, just be aware that adding built-in classes could provide another vector for attack, esp. I think if Function is one of them.

I'd personally just worry about adding the literals for now. Thanks!

80avin commented 2 days ago

@brettz9 Yes. I have only added typeof operator and undefined/null literals.