Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Thread safety + security #23

Closed
blambeau opened this issue Jul 3, 2022 · 5 comments
Closed

Thread safety + security #23

blambeau opened this issue Jul 3, 2022 · 5 comments
Assignees
@chrisbloom7

Comments

@blambeau
Copy link

blambeau commented Jul 3, 2022
edited
Loading

Is your feature request related to a problem? Please describe.

I'm looking for a jsonpath implementation in a project that will accept path expressions from the external world. So I'm reviewing jsonpath and enumpath with respect to thread safety and security.

Describe the solution you'd like

  • I've seen in Make threadsafe #12 that you are concerned about thread safety (for instance MiniCache). Would you accept a PR that removes global state and either allows disabling caching or find a thread-safe solution to it?

  • Would you accept a PR that allows disabling the use of public_send and related features?

  • Would you accept a PR that allows limiting features that might expose security issues (such as accepting or compiling to regular expressions)?

Many thanks for this great gem. The code and logic is easy to get involved in, really clear.
@chrisbloom7
Copy link
Owner

@blambeau Thanks for reaching out, and glad you're finding enumpath useful! Yes, those all sound like good additions and I'm definitely open to PRs for those improvements.

@chrisbloom7
Copy link
Owner

@blambeau let me know if there's anything I can do to help you get started on this. Would love to hear about your use case for Enumpath too!

@blambeau
Copy link
Author

blambeau commented Aug 1, 2022

@chrisbloom7 Thanks.

I'd like to integrate enumpath into https://github.com/enspirit/monolens (e.g. https://github.com/enspirit/monolens/tree/master/documentation/use-cases/data-templates) that it itself used in https://klaro.cards to create data transformations to import from Excel files. The thing is that Monolens "programs" are uploaded by end users, so I need something 100% safe.

My first implementation takes inspiration from yours and unblocked me (https://github.com/enspirit/monolens/blob/60fe33d1901c7e3fc23af58f32c949ad27166717/lib/monolens/jsonpath.rb#L52-L55) but in the long run I'd like a full jsonpath engine.

@blambeau
Copy link
Author

blambeau commented Aug 1, 2022

@chrisbloom7 you can close this issue IMO. I'll probably get back to you in the coming weeks/months when I have a need for a real jsonpath engine.

@chrisbloom7
Copy link
Owner

@blambeau sounds good. Happy to collaborate when the time comes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chrisbloom7 chrisbloom7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chrisbloom7 @blambeau