diff --git a/docs/analyzers/feed.md b/docs/analyzers/feed.md index 1165fc40..a3048476 100644 --- a/docs/analyzers/feed.md +++ b/docs/analyzers/feed.md @@ -33,6 +33,12 @@ json: ... `selector` (`string`) is a `jr` selector. +!!! warning + + With great power comes great responsibility. + + `jr` can execute anything with the same privilege Mihari has. Do not use untrusted selector. + ### Headers `headers` (`hash`) is an HTTP headers. Optional. diff --git a/lib/mihari/services/feed.rb b/lib/mihari/services/feed.rb index 5cf76932..6af551ca 100644 --- a/lib/mihari/services/feed.rb +++ b/lib/mihari/services/feed.rb @@ -93,10 +93,7 @@ class FeedParser < Service # # @param [Object] read_data def call(input_enumerator, selector) - parsed = proc do - $SAFE = 1 - input_enumerator.instance_eval(selector) - end.call + parsed = input_enumerator.instance_eval(selector) raise TypeError unless parsed.is_a?(Array) || parsed.all?(String)