fix: remove overly aggressive disabling of native functions but disallow __proto__

brettz9 · brettz9 · commit 98a6b229cad0 · 2024-10-18T11:12:40.000+08:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,10 @@
 # CHANGES for jsonpath-plus
 
+## 10.0.5
+
+- fix: remove overly aggressive disabling of native functions but
+    disallow `__proto__`
+
 ## 10.0.4
 
 - fix(security): further prevent binding of Function calls which may evade detection
diff --git a/badges/coverage-badge.svg b/badges/coverage-badge.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="384" height="20"><defs><style>text{font-size:11px;font-family:Verdana,DejaVu Sans,Geneva,sans-serif}text.shadow{fill:#010101;fill-opacity:.3}text.high{fill:#fff}</style><linearGradient id="smooth" x2="0" y2="100%"><stop offset="0" stop-color="#aaa" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><mask id="round"><rect width="100%" height="100%" rx="3" fill="#fff"/></mask></defs><g id="bg" mask="url(#round)"><path fill="green" stroke="#000" d="M0 0h109v20H0zM109 0h98v20h-98zM207 0h76v20h-76zM283 0h101v20H283z"/><path fill="url(#smooth)" d="M0 0h384v20H0z"/></g><g id="fg"><text class="shadow" x="5.5" y="15">Statements 100%</text><text class="high" x="5" y="14">Statements 100%</text><text class="shadow" x="114.5" y="15">Branches 100%</text><text class="high" x="114" y="14">Branches 100%</text><text class="shadow" x="212.5" y="15">Lines 100%</text><text class="high" x="212" y="14">Lines 100%</text><text class="shadow" x="288.5" y="15">Functions 100%</text><text class="high" x="288" y="14">Functions 100%</text></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="417" height="20"><defs><style>text{font-size:11px;font-family:Verdana,DejaVu Sans,Geneva,sans-serif}text.shadow{fill:#010101;fill-opacity:.3}text.high{fill:#fff}</style><linearGradient id="smooth" x2="0" y2="100%"><stop offset="0" stop-color="#aaa" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><mask id="round"><rect width="100%" height="100%" rx="3" fill="#fff"/></mask></defs><g id="bg" mask="url(#round)"><path fill="orange" stroke="#000" d="M0 0h120v20H0zM120 0h109v20H120zM229 0h87v20h-87z"/><path fill="green" stroke="#000" d="M316 0h101v20H316z"/><path fill="url(#smooth)" d="M0 0h417v20H0z"/></g><g id="fg"><text class="shadow" x="5.5" y="15">Statements 99.28%</text><text class="high" x="5" y="14">Statements 99.28%</text><text class="shadow" x="125.5" y="15">Branches 98.59%</text><text class="high" x="125" y="14">Branches 98.59%</text><text class="shadow" x="234.5" y="15">Lines 99.28%</text><text class="high" x="234" y="14">Lines 99.28%</text><text class="shadow" x="321.5" y="15">Functions 100%</text><text class="high" x="321" y="14">Functions 100%</text></g></svg>
diff --git a/dist/index-browser-esm.js b/dist/index-browser-esm.js
@@ -1325,16 +1325,16 @@ const SafeEval = {
     if (func === Function) {
       throw new Error('Function constructor is disabled');
     }
-    if (func.toString() === 'function () { [native code] }') {
-      throw new Error('Native functions are disabled');
-    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {
     if (ast.left.type !== 'Identifier') {
       throw SyntaxError('Invalid left-hand side in assignment');
     }
     const id = ast.left.name;
+    if (id === '__proto__') {
+      throw new Error('Assignment to __proto__ is disabled');
+    }
     const value = SafeEval.evalAst(ast.right, subs);
     subs[id] = value;
     return subs[id];
diff --git a/dist/index-browser-esm.min.js b/dist/index-browser-esm.min.js
diff --git a/dist/index-browser-esm.min.js.map b/dist/index-browser-esm.min.js.map
diff --git a/dist/index-browser-umd.cjs b/dist/index-browser-umd.cjs
@@ -1331,16 +1331,16 @@
 	    if (func === Function) {
 	      throw new Error('Function constructor is disabled');
 	    }
-	    if (func.toString() === 'function () { [native code] }') {
-	      throw new Error('Native functions are disabled');
-	    }
 	    return func(...args);
 	  },
 	  evalAssignmentExpression(ast, subs) {
 	    if (ast.left.type !== 'Identifier') {
 	      throw SyntaxError('Invalid left-hand side in assignment');
 	    }
 	    const id = ast.left.name;
+	    if (id === '__proto__') {
+	      throw new Error('Assignment to __proto__ is disabled');
+	    }
 	    const value = SafeEval.evalAst(ast.right, subs);
 	    subs[id] = value;
 	    return subs[id];
diff --git a/dist/index-browser-umd.min.cjs b/dist/index-browser-umd.min.cjs
diff --git a/dist/index-browser-umd.min.cjs.map b/dist/index-browser-umd.min.cjs.map
diff --git a/dist/index-node-cjs.cjs b/dist/index-node-cjs.cjs
@@ -1326,16 +1326,16 @@ const SafeEval = {
     if (func === Function) {
       throw new Error('Function constructor is disabled');
     }
-    if (func.toString() === 'function () { [native code] }') {
-      throw new Error('Native functions are disabled');
-    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {
     if (ast.left.type !== 'Identifier') {
       throw SyntaxError('Invalid left-hand side in assignment');
     }
     const id = ast.left.name;
+    if (id === '__proto__') {
+      throw new Error('Assignment to __proto__ is disabled');
+    }
     const value = SafeEval.evalAst(ast.right, subs);
     subs[id] = value;
     return subs[id];
diff --git a/dist/index-node-esm.js b/dist/index-node-esm.js
@@ -1324,16 +1324,16 @@ const SafeEval = {
     if (func === Function) {
       throw new Error('Function constructor is disabled');
     }
-    if (func.toString() === 'function () { [native code] }') {
-      throw new Error('Native functions are disabled');
-    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {
     if (ast.left.type !== 'Identifier') {
       throw SyntaxError('Invalid left-hand side in assignment');
     }
     const id = ast.left.name;
+    if (id === '__proto__') {
+      throw new Error('Assignment to __proto__ is disabled');
+    }
     const value = SafeEval.evalAst(ast.right, subs);
     subs[id] = value;
     return subs[id];
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "author": "Stefan Goessner",
   "name": "jsonpath-plus",
-  "version": "10.0.4",
+  "version": "10.0.5",
   "type": "module",
   "bin": {
     "jsonpath": "./bin/jsonpath-cli.js",
diff --git a/src/Safe-Script.js b/src/Safe-Script.js
@@ -140,16 +140,16 @@ const SafeEval = {
         if (func === Function) {
             throw new Error('Function constructor is disabled');
         }
-        if (func.toString() === 'function () { [native code] }') {
-            throw new Error('Native functions are disabled');
-        }
         return func(...args);
     },
     evalAssignmentExpression (ast, subs) {
         if (ast.left.type !== 'Identifier') {
             throw SyntaxError('Invalid left-hand side in assignment');
         }
         const id = ast.left.name;
+        if (id === '__proto__') {
+            throw new Error('Assignment to __proto__ is disabled');
+        }
         const value = SafeEval.evalAst(ast.right, subs);
         subs[id] = value;
         return subs[id];

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"author": "Stefan Goessner",`
`3`	`3`	`"name": "jsonpath-plus",`
`4`		`- "version": "10.0.4",`
	`4`	`+ "version": "10.0.5",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"bin": {`
`7`	`7`	`"jsonpath": "./bin/jsonpath-cli.js",`