Closed 3-14r closed 1 day ago
This is due to the fact that the safe evaluator is now the default (to avoid vulnerabilities in Node's vm), and the safe evaluator does not currently support these language features. @80avin : any plans to add support?
If you need the old behavior and are not using untrusted user data in the likes of building your paths, you should be able to set the eval: 'native'
option.
@brettz9 I've added typeof
operator in https://github.com/JSONPath-Plus/JSONPath/pull/231
Just realized that I have to add undefined
, null and other literals also.
Maybe instanceof
operator also which will then require Number
, String
, etc classes.
@80avin Although we may have mitigated this sufficiently already by prohibiting constructor
access, just be aware that adding built-in classes could provide another vector for attack, esp. I think if Function
is one of them.
I'd personally just worry about adding the literals for now. Thanks!
@brettz9 Yes. I have only added typeof operator and undefined/null literals.
Describe the bug
Using the operator
typeof
or the valueundefined
in filter throws an exception in version 10.0.0 It was not the case in version 7.2.0Code sample or steps to reproduce
Console error or logs
in first case:
Error: jsonPath: typeof is not defined: typeof @.value === 'string' && !@.value.startsWith('skip.')
in second case:
Error: jsonPath: undefined is not defined: @.value === undefined
Expected behavior
To not throw exception
Expected result
Environment (IMPORTANT)
Desktop**
Additional context
none