Ticket #5957 (closed enhancement: fixed)

Opened 4 months ago

Last modified 11 days ago

[patch][cla] Add Safe Sub-Expressions Support for JsonPath

Reported by: kriszyp Owned by: kriszyp
Priority: normal Milestone: 1.2
Component: Dojox Version: 1.0
Severity: normal Keywords:
Cc:

Description (last modified by dylan) (diff)

Currently JsonPath? syntax, permits sub-expressions that may be any valid JavaScript? expression. This greatly limits portability because environments that do have full JavaScript? capabilities can not evaluate the expression. Safe sub-expressions use a limited set of operators that can easily be implemented in using any language without requiring a JavaScript? VM. Safe sub-expressions are limited to use the following operators: =, !=, >=, <=, +, -, /, *, ?, : JsonPath? will support a safe sub-expression evaluation syntax checking, which prevents ad-hoc sub-expressions that do not adhere to this set of operators. Safe sub-expression evaluation also prevents arbitrary code execution in JsonPath?. If user supplied JsonPath? queries are executed it is highly recommended that safe sub-expressions evaluation is used to prevent arbitrary JavaScript? execution.

Attachments

jsonPath.diff (21.2 kB) - added by kriszyp 4 months ago.
Patch

Change History

Changed 4 months ago by peller

  • owner changed from anonymous to peller
  • component changed from General to Dojox

Changed 4 months ago by peller

  • owner changed from peller to dmachi

Changed 4 months ago by kriszyp

Patch

Changed 4 months ago by dylan

  • summary changed from Add Safe Sub-Expressions Support for JsonPath to [patch][cla] Add Safe Sub-Expressions Support for JsonPath
  • milestone changed from 1.1 to 1.2

Changed 4 weeks ago by dylan

  • owner changed from dmachi to kriszyp
  • description modified (diff)

Changed 11 days ago by kriszyp

I have done numerous other improvements such as: New features: 1. Lenient syntax handling. Right now a simply query user filter expression looks like: $[?(@.price < 10)] We could first of all remove the requirement to start with $, and just let it start with an operator ([ or .). Next, it doesn't seem necessary to require a paranthesis to enclose the expression following the ? on filter expression. We could have [?@.price<10] Then we could also imply that any direct names in a filter expression are properties of @ (the filter items): [?price<10] Finally, we don't really even need the brackets except when more query operations will follow the filter expression: ?price<10 If we had another operation, queries would have to retain the brackets: [?price<10][0:10] 2. Add sorting support. The syntax is like: /firstName // ascending by firstName or [\firstName, /lastName] // descending by firstName, and then ascending by lastName for firstName ties A query might look like: $[?price < 10][\rating] to find items under $10 and then sorting by rating (highest first) Multiple prioritized columns of sorting could be done like: $[?price < 10][\rating, /author.firstName] which would sort first by rating (descending) and then ties in rating would be sorted by author's firstName in ascending order. 3. Mapping/multi-property selection. You can do mappings with syntax like: [=newValue] To create a list of authors: $.books[=author] To creates a list of authors who have a book for under $10 we could do: $[?price < 10][={rating:rating, name:author.firstName + ' ' + author.lastName}] This will create a list of objects that have a rating property (from the book's rating), and a name property that is the concatenation of the author's first and last name. 4. General result-level expressions. You can now do general result-level expressions: $[0].rating > 3 Finds the rating for the first book and returns true or false if the rating is greater than 3.

Consequently this is going to be committed at dojox.json.query.

Changed 11 days ago by kzyp

  • status changed from new to closed
  • resolution set to fixed

(In [14119]) Implementation/fixes #5957

Note: See TracTickets for help on using tickets.