fix(security): prevent call/apply invocation of Function

brettz9 · brettz9 · commit 763ada0268d6 · 2024-10-18T15:19:13.000+08:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,9 @@
 # CHANGES for jsonpath-plus
 
+## 10.0.6
+
+- fix(security): prevent `call`/`apply` invocation of `Function`
+
 ## 10.0.5
 
 - fix: remove overly aggressive disabling of native functions but
diff --git a/badges/coverage-badge.svg b/badges/coverage-badge.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="417" height="20"><defs><style>text{font-size:11px;font-family:Verdana,DejaVu Sans,Geneva,sans-serif}text.shadow{fill:#010101;fill-opacity:.3}text.high{fill:#fff}</style><linearGradient id="smooth" x2="0" y2="100%"><stop offset="0" stop-color="#aaa" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><mask id="round"><rect width="100%" height="100%" rx="3" fill="#fff"/></mask></defs><g id="bg" mask="url(#round)"><path fill="orange" stroke="#000" d="M0 0h120v20H0zM120 0h109v20H120zM229 0h87v20h-87z"/><path fill="green" stroke="#000" d="M316 0h101v20H316z"/><path fill="url(#smooth)" d="M0 0h417v20H0z"/></g><g id="fg"><text class="shadow" x="5.5" y="15">Statements 99.28%</text><text class="high" x="5" y="14">Statements 99.28%</text><text class="shadow" x="125.5" y="15">Branches 98.59%</text><text class="high" x="125" y="14">Branches 98.59%</text><text class="shadow" x="234.5" y="15">Lines 99.28%</text><text class="high" x="234" y="14">Lines 99.28%</text><text class="shadow" x="321.5" y="15">Functions 100%</text><text class="high" x="321" y="14">Functions 100%</text></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="417" height="20"><defs><style>text{font-size:11px;font-family:Verdana,DejaVu Sans,Geneva,sans-serif}text.shadow{fill:#010101;fill-opacity:.3}text.high{fill:#fff}</style><linearGradient id="smooth" x2="0" y2="100%"><stop offset="0" stop-color="#aaa" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><mask id="round"><rect width="100%" height="100%" rx="3" fill="#fff"/></mask></defs><g id="bg" mask="url(#round)"><path fill="orange" stroke="#000" d="M0 0h120v20H0zM120 0h109v20H120zM229 0h87v20h-87z"/><path fill="green" stroke="#000" d="M316 0h101v20H316z"/><path fill="url(#smooth)" d="M0 0h417v20H0z"/></g><g id="fg"><text class="shadow" x="5.5" y="15">Statements 98.83%</text><text class="high" x="5" y="14">Statements 98.83%</text><text class="shadow" x="125.5" y="15">Branches 98.04%</text><text class="high" x="125" y="14">Branches 98.04%</text><text class="shadow" x="234.5" y="15">Lines 98.83%</text><text class="high" x="234" y="14">Lines 98.83%</text><text class="shadow" x="321.5" y="15">Functions 100%</text><text class="high" x="321" y="14">Functions 100%</text></g></svg>
diff --git a/dist/index-browser-esm.js b/dist/index-browser-esm.js
@@ -1299,6 +1299,9 @@ const SafeEval = {
       if (obj === Function && prop === 'bind') {
         throw new Error('Function.prototype.bind is disabled');
       }
+      if (obj === Function && (prop === 'call' || prop === 'apply')) {
+        throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');
+      }
       if (result === Function) {
         return result; // Don't bind so can identify and throw later
       }
diff --git a/dist/index-browser-esm.min.js b/dist/index-browser-esm.min.js
diff --git a/dist/index-browser-esm.min.js.map b/dist/index-browser-esm.min.js.map
diff --git a/dist/index-browser-umd.cjs b/dist/index-browser-umd.cjs
@@ -1305,6 +1305,9 @@
 	      if (obj === Function && prop === 'bind') {
 	        throw new Error('Function.prototype.bind is disabled');
 	      }
+	      if (obj === Function && (prop === 'call' || prop === 'apply')) {
+	        throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');
+	      }
 	      if (result === Function) {
 	        return result; // Don't bind so can identify and throw later
 	      }
diff --git a/dist/index-browser-umd.min.cjs b/dist/index-browser-umd.min.cjs
diff --git a/dist/index-browser-umd.min.cjs.map b/dist/index-browser-umd.min.cjs.map
diff --git a/dist/index-node-cjs.cjs b/dist/index-node-cjs.cjs
@@ -1300,6 +1300,9 @@ const SafeEval = {
       if (obj === Function && prop === 'bind') {
         throw new Error('Function.prototype.bind is disabled');
       }
+      if (obj === Function && (prop === 'call' || prop === 'apply')) {
+        throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');
+      }
       if (result === Function) {
         return result; // Don't bind so can identify and throw later
       }
diff --git a/dist/index-node-esm.js b/dist/index-node-esm.js
@@ -1298,6 +1298,9 @@ const SafeEval = {
       if (obj === Function && prop === 'bind') {
         throw new Error('Function.prototype.bind is disabled');
       }
+      if (obj === Function && (prop === 'call' || prop === 'apply')) {
+        throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');
+      }
       if (result === Function) {
         return result; // Don't bind so can identify and throw later
       }
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "author": "Stefan Goessner",
   "name": "jsonpath-plus",
-  "version": "10.0.5",
+  "version": "10.0.6",
   "type": "module",
   "bin": {
     "jsonpath": "./bin/jsonpath-cli.js",
diff --git a/src/Safe-Script.js b/src/Safe-Script.js
@@ -114,6 +114,12 @@ const SafeEval = {
             if (obj === Function && prop === 'bind') {
                 throw new Error('Function.prototype.bind is disabled');
             }
+            if (obj === Function && (prop === 'call' || prop === 'apply')) {
+                throw new Error(
+                    'Function.prototype.call and ' +
+                    'Function.prototype.apply are disabled'
+                );
+            }
             if (result === Function) {
                 return result; // Don't bind so can identify and throw later
             }

Original file line number	Diff line number	Diff line change
`@@ -1299,6 +1299,9 @@ const SafeEval = {`
`1299`	`1299`	`if (obj === Function && prop === 'bind') {`
`1300`	`1300`	`throw new Error('Function.prototype.bind is disabled');`
`1301`	`1301`	`}`
	`1302`	`+ if (obj === Function && (prop === 'call' \|\| prop === 'apply')) {`
	`1303`	`+ throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');`
	`1304`	`+ }`
`1302`	`1305`	`if (result === Function) {`
`1303`	`1306`	`return result; // Don't bind so can identify and throw later`
`1304`	`1307`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1305,6 +1305,9 @@`
`1305`	`1305`	`if (obj === Function && prop === 'bind') {`
`1306`	`1306`	`throw new Error('Function.prototype.bind is disabled');`
`1307`	`1307`	`}`
	`1308`	`+ if (obj === Function && (prop === 'call' \|\| prop === 'apply')) {`
	`1309`	`+ throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');`
	`1310`	`+ }`
`1308`	`1311`	`if (result === Function) {`
`1309`	`1312`	`return result; // Don't bind so can identify and throw later`
`1310`	`1313`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1300,6 +1300,9 @@ const SafeEval = {`
`1300`	`1300`	`if (obj === Function && prop === 'bind') {`
`1301`	`1301`	`throw new Error('Function.prototype.bind is disabled');`
`1302`	`1302`	`}`
	`1303`	`+ if (obj === Function && (prop === 'call' \|\| prop === 'apply')) {`
	`1304`	`+ throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');`
	`1305`	`+ }`
`1303`	`1306`	`if (result === Function) {`
`1304`	`1307`	`return result; // Don't bind so can identify and throw later`
`1305`	`1308`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1298,6 +1298,9 @@ const SafeEval = {`
`1298`	`1298`	`if (obj === Function && prop === 'bind') {`
`1299`	`1299`	`throw new Error('Function.prototype.bind is disabled');`
`1300`	`1300`	`}`
	`1301`	`+ if (obj === Function && (prop === 'call' \|\| prop === 'apply')) {`
	`1302`	`+ throw new Error('Function.prototype.call and ' + 'Function.prototype.apply are disabled');`
	`1303`	`+ }`
`1301`	`1304`	`if (result === Function) {`
`1302`	`1305`	`return result; // Don't bind so can identify and throw later`
`1303`	`1306`	`}`