diff --git a/src/jsonata.js b/src/jsonata.js index 8b4a68ca..199b7dfc 100644 --- a/src/jsonata.js +++ b/src/jsonata.js @@ -1293,6 +1293,13 @@ var jsonata = (function() { } for(var ii = 0; ii < matches.length; ii++) { var match = matches[ii]; + if (match && match.isPrototypeOf(result)) { + throw { + code: "D1010", + stack: (new Error()).stack, + position: expr.position + }; + } // evaluate the update value for each match var update = await evaluate(expr.update, match, environment); // update must be an object @@ -1539,7 +1546,7 @@ var jsonata = (function() { if (typeof err.token == 'undefined' && typeof proc.token !== 'undefined') { err.token = proc.token; } - err.position = proc.position; + err.position = proc.position || err.position; } throw err; } @@ -1972,6 +1979,7 @@ var jsonata = (function() { "T1007": "Attempted to partially apply a non-function. Did you mean ${{{token}}}?", "T1008": "Attempted to partially apply a non-function", "D1009": "Multiple key definitions evaluate to same key: {{value}}", + "D1010": "Attempted to access the Javascript object prototype", // Javascript specific "T1010": "The matcher function argument passed to function {{token}} does not return the correct object structure", "T2001": "The left side of the {{token}} operator must evaluate to a number", "T2002": "The right side of the {{token}} operator must evaluate to a number", diff --git a/test/implementation-tests.js b/test/implementation-tests.js index 1abc214f..ace6efe5 100644 --- a/test/implementation-tests.js +++ b/test/implementation-tests.js @@ -955,6 +955,26 @@ describe("Tests that are specific to a Javascript runtime", () => { }); }); }); + describe("Expressions that attempt to pollute the object prototype", function() { + it("should throw an error with __proto__", async function() { + const expr = jsonata('{} ~> | __proto__ | {"is_admin": true} |'); + expect( + expr.evaluate() + ).to.eventually.be.rejected.to.deep.contain({ + position: 7, + code: "D1010", + }); + }); + it("should throw an error with __lookupGetter__", async function() { + const expr = jsonata('{} ~> | __lookupGetter__("__proto__")() | {"is_admin": true} |'); + expect( + expr.evaluate() + ).to.eventually.be.rejected.to.deep.contain({ + position: 7, + code: "D1010", + }); + }); + }); }); describe("Test that yield platform specific results", () => {