Currently the JavaScript evaluation is enabled by default which is a bad practice, I know this project is not maintained anymore but given the case I would like to know if you would merge a PR that disable the evaluation by default
JavaScript evaluation is very dangerous if coming from user input (even if it's running in a sandbox) for example, the following path will cause Heap out of Memory error:
const { JSONPath } = require('jsonpath-plus');
JSONPath({
json: { nonEmpty: 'object' },
path: '$..[?(' +
'(function a(arr){' +
'a([...arr, ...arr])' +
'})([1]);)]'
});
Currently the JavaScript evaluation is enabled by default which is a bad practice, I know this project is not maintained anymore but given the case I would like to know if you would merge a PR that disable the evaluation by default
JavaScript evaluation is very dangerous if coming from user input (even if it's running in a sandbox) for example, the following path will cause Heap out of Memory error: