From ebbc2a76bdcf16e1f4625af252183640fdda958b Mon Sep 17 00:00:00 2001 From: Manabu Niseki Date: Sun, 14 Jan 2024 15:45:09 +0900 Subject: [PATCH] refactor: remove $SAFE --- docs/analyzers/feed.md | 6 ++++++ lib/mihari/services/feed.rb | 5 +---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/analyzers/feed.md b/docs/analyzers/feed.md index 1165fc40..a3048476 100644 --- a/docs/analyzers/feed.md +++ b/docs/analyzers/feed.md @@ -33,6 +33,12 @@ json: ... `selector` (`string`) is a `jr` selector. +!!! warning + + With great power comes great responsibility. + + `jr` can execute anything with the same privilege Mihari has. Do not use untrusted selector. + ### Headers `headers` (`hash`) is an HTTP headers. Optional. diff --git a/lib/mihari/services/feed.rb b/lib/mihari/services/feed.rb index 5cf76932..6af551ca 100644 --- a/lib/mihari/services/feed.rb +++ b/lib/mihari/services/feed.rb @@ -93,10 +93,7 @@ class FeedParser < Service # # @param [Object] read_data def call(input_enumerator, selector) - parsed = proc do - $SAFE = 1 - input_enumerator.instance_eval(selector) - end.call + parsed = input_enumerator.instance_eval(selector) raise TypeError unless parsed.is_a?(Array) || parsed.all?(String)