The operations object could be exploited to run arbitrary code (#98)

* The operations object could be exploited to run arbitrary code

* Version bump

Co-authored-by: Jeremy Wadhams <[email protected]>

Author: jwadhams

Diff for: logic.js

@@ -340,18 +340,19 @@ http://ricostacruz.com/cheatsheets/umdjs.html
     // The operation is called with "data" bound to its "this" and "values" passed as arguments.
     // Structured commands like % or > can name formal arguments while flexible commands (like missing or merge) can operate on the pseudo-array arguments
     // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/arguments
-    if (typeof operations[op] === "function") {
+    if (operations.hasOwnProperty(op) && typeof operations[op] === "function") {
       return operations[op].apply(data, values);
     } else if (op.indexOf(".") > 0) { // Contains a dot, and not in the 0th position
       var sub_ops = String(op).split(".");
       var operation = operations;
       for (i = 0; i < sub_ops.length; i++) {
-        // Descending into operations
-        operation = operation[sub_ops[i]];
-        if (operation === undefined) {
+
+        if (!operation.hasOwnProperty(sub_ops[i])) {
           throw new Error("Unrecognized operation " + op +
             " (failed at " + sub_ops.slice(0, i+1).join(".") + ")");
         }
+        // Descending into operations
+        operation = operation[sub_ops[i]];
       }
 
       return operation.apply(data, values);

Diff for: package.json

@@ -1,6 +1,6 @@
 {
   "name": "json-logic-js",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Build complex rules, serialize them as JSON, and execute them in JavaScript",
   "main": "logic.js",
   "directories": {