Bump jsonpath-plus

2026-02-03 14:00:40 -08:00 · 2026-01-29 13:15:07 +00:00 · 2026-01-29 13:15:07 +00:00 · eef4cd3c5e
commit eef4cd3c5e
parent 2092e5b20c
3 changed files with 23 additions and 10 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -57,7 +57,7 @@
        "jsesc": "^3.0.2",
        "json5": "^2.2.3",
        "jsonata": "^2.0.3",
-        "jsonpath-plus": "^9.0.0",
+        "jsonpath-plus": "^10.3.0",
        "jsonwebtoken": "8.5.1",
        "jsqr": "^1.4.0",
        "jsrsasign": "^11.1.0",
@ -12503,21 +12503,21 @@
      }
    },
    "node_modules/jsonpath-plus": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-9.0.0.tgz",
-      "integrity": "sha512-bqE77VIDStrOTV/czspZhTn+o27Xx9ZJRGVkdVShEtPoqsIx5yALv3lWVU6y+PqYvWPJNWE7ORCQheQkEe0DDA==",
+      "version": "10.3.0",
+      "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.3.0.tgz",
+      "integrity": "sha512-8TNmfeTCk2Le33A3vRRwtuworG/L5RrgMvdjhKZxvyShO+mBu2fP50OWUjRLNtvw344DdDarFh9buFAZs5ujeA==",
      "license": "MIT",
      "dependencies": {
-        "@jsep-plugin/assignment": "^1.2.1",
-        "@jsep-plugin/regex": "^1.0.3",
-        "jsep": "^1.3.8"
+        "@jsep-plugin/assignment": "^1.3.0",
+        "@jsep-plugin/regex": "^1.0.4",
+        "jsep": "^1.4.0"
      },
      "bin": {
        "jsonpath": "bin/jsonpath-cli.js",
        "jsonpath-plus": "bin/jsonpath-cli.js"
      },
      "engines": {
-        "node": ">=14.0.0"
+        "node": ">=18.0.0"
      }
    },
    "node_modules/jsonwebtoken": {
--- a/package.json
+++ b/package.json
@ -143,7 +143,7 @@
    "jsesc": "^3.0.2",
    "json5": "^2.2.3",
    "jsonata": "^2.0.3",
-    "jsonpath-plus": "^9.0.0",
+    "jsonpath-plus": "^10.3.0",
    "jsonwebtoken": "8.5.1",
    "jsqr": "^1.4.0",
    "jsrsasign": "^11.1.0",
--- a/tests/operations/tests/Code.mjs
+++ b/tests/operations/tests/Code.mjs
@ -322,8 +322,21 @@ TestRegister.addTests([
                ]
            }
        ],
-        expectedMatch: /^Invalid JPath expression: jsonPath: self is not defined:/
+        expectedMatch: /^Invalid JPath expression: Unexpected "{" at character 1/
    },
+    {
+        name: "JPath Expression: Script-based RCE",
+        input: "[{}]",
+        recipeConfig: [
+            {
+                "op": "JPath expression",
+                "args": [
+                    "$..[?(p=\"console.log(this.process.mainModule.require('child_process').execSync('id').toString())\";a=''[['constructor']][['constructor']](p);a())]",
+                    "\n"
+                ]
+            }
+        ],
+        expectedMatch: /^Invalid JPath expression: jsonPath: Cannot read properties of {2}\(reading 'constructor'\): /    },
    {
        name: "CSS selector",
        input: '<div id="test">\n<p class="a">hello</p>\n<p>world</p>\n<p class="a">again</p>\n</div>',