RubyGems - jq - Versions diffs - 1.0.0 → 1.1.0 - Mend

jq 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +19 -0
data/Gemfile.lock +1 -1
data/ext/jq/extconf.rb +1 -0
data/ext/jq/jq_ext.c +19 -4
data/ext/jq/patches/0001-add-sandbox-mode.patch +156 -0
data/jq.gemspec +1 -1
data/lib/jq.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 85a8def8b4728ce33cb6bf3322969e08d95abd40dec1efd317a7a0de764f333a
-  data.tar.gz: 96a55036c41973603dba2bbcea2970ebd6312fa2334c1afb79feba3327015228
+  metadata.gz: 4e79fcd6b493cfe8b9c153f73b09ca0e53298b24d6fcd0215efd956be60d965f
+  data.tar.gz: c3c3dd6b922e064fad34935cacef4d4c16799b62eb531965605ef9b4db132184
 SHA512:
-  metadata.gz: 301b55c4c77ec72aca48de6cf73d8ef421710b0cea7c6aa041191c0d39cbbe1763530920bdcf98c333d80c07ce4677c5fad78f3841ec8448e7ce2db3571a9148
-  data.tar.gz: 6d3c8b437eff186dc30e24f6add659312c37c4f0c4f73c602f172d93655c2eb02362ed128d21dd59f6b47bbb2f14805c1214b20ef71348eae92d4710aebd7b6d
+  metadata.gz: 8c8b6b43f7c2cb0d9c2d31724827487f1bb615afac9f5c9f491ed7ec3eeefaab79eb8b08e4219abeda712ae098ea88507ed9f055c708a6875d08d9471281e2ef
+  data.tar.gz: ee075e8b777bd6ad20cd37b4c15b98baa0f543d8ed1c7b4d1d2ccdf7696e29220b4631d50d25a8582e294efa172dd2f8f301aa9eff3216b1d09278201a52c6bf

data/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.1.0] - 2026-02-20
+### Added
+- Sandbox mode for `JQ.filter` (enabled by default) that blocks access to
+  environment variables (`env`, `$ENV`) and file imports (`include`, `import`)
+  - New `:sandbox` option on `JQ.filter` (default: `true`). Pass `sandbox: false`
+    to allow environment variable access and file imports.
+  - `JQ.validate_filter!` always runs in sandbox mode
+- Patch system for bundled jq source via `mini_portile2` `patch_files`
+### Changed
+- **Breaking**: `env` and `$ENV` now return empty objects by default. Pass
+  `sandbox: false` to `JQ.filter` to restore access to environment variables.
+- **Breaking**: `include` and `import` statements now raise `JQ::Error` by
+  default.
 ## [1.0.0] - 2026-01-26
 ### Added
@@ -46,4 +64,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Filter expressions cannot execute system commands (safe by design)
 - Tested with large inputs, deeply nested structures, and malicious filters
+[1.1.0]: https://github.com/persona-id/jq-ruby/releases/tag/v1.1.0
 [1.0.0]: https://github.com/persona-id/jq-ruby/releases/tag/v1.0.0

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    jq (1.0.0)
+    jq (1.1.0)
       mini_portile2 (~> 2.8)
 GEM

data/ext/jq/extconf.rb CHANGED Viewed

@@ -15,6 +15,7 @@ class JQRecipe < MiniPortile
       url: "https://github.com/jqlang/jq/releases/download/jq-#{JQ_VERSION}/jq-#{JQ_VERSION}.tar.gz",
       sha256: JQ_SHA256
     }
+    self.patch_files = Dir[File.join(__dir__, 'patches', '*.patch')].sort
     self.configure_options += [
       # "--enable-shared",
       "--enable-static",

data/ext/jq/jq_ext.c CHANGED Viewed

@@ -15,7 +15,8 @@ static VALUE jv_to_json_string(jv value, int raw, int compact, int sort);
 static void raise_jq_error(jv error_value, VALUE exception_class);
 static VALUE rb_jq_filter_impl(const char *json_str, const char *filter_str,
                                 int raw_output, int compact_output,
-                                int sort_keys, int multiple_outputs);
+                                int sort_keys, int multiple_outputs,
+                                int sandbox);
 /**
  * Convert a jv value to a Ruby JSON string
@@ -91,11 +92,13 @@ static void raise_jq_error(jv error_value, VALUE exception_class) {
  * @param compact_output If true, output compact JSON (jq -c)
  * @param sort_keys If true, sort object keys (jq -S)
  * @param multiple_outputs If true, return array of all results
+ * @param sandbox If true, enable sandbox mode (blocks env/include/import)
  * @return Ruby string or array of strings
  */
 static VALUE rb_jq_filter_impl(const char *json_str, const char *filter_str,
                                 int raw_output, int compact_output,
-                                int sort_keys, int multiple_outputs) {
+                                int sort_keys, int multiple_outputs,
+                                int sandbox) {
     jq_state *jq = NULL;
     jv input = jv_invalid();
     VALUE results = Qnil;
@@ -107,6 +110,10 @@ static VALUE rb_jq_filter_impl(const char *json_str, const char *filter_str,
         rb_raise(rb_eJQError, "Failed to initialize jq");
     }
+    if (sandbox) {
+        jq_set_sandbox(jq);
+    }
     // Compile filter
     if (!jq_compile(jq, filter_str)) {
         jv error = jq_get_error_message(jq);
@@ -202,6 +209,7 @@ static VALUE rb_jq_filter_impl(const char *json_str, const char *filter_str,
  * [:compact_output (Boolean)] Output compact JSON on a single line. Default: true (set to false for pretty output)
  * [:sort_keys (Boolean)] Sort object keys alphabetically (equivalent to jq -S). Default: false
  * [:multiple_outputs (Boolean)] Return array of all results instead of just the first. Default: false
+ * [:sandbox (Boolean)] Enable sandbox mode to block access to environment variables and file imports. Default: true
  *
  * === Returns
  *
@@ -259,9 +267,10 @@ VALUE rb_jq_filter(int argc, VALUE *argv, VALUE self) {
     const char *json_cstr = StringValueCStr(json_str);
     const char *filter_cstr = StringValueCStr(filter_str);
-    // Parse options (default to compact output)
+    // Parse options (default to compact output, sandbox enabled)
     int raw_output = 0, compact_output = 1;
     int sort_keys = 0, multiple_outputs = 0;
+    int sandbox = 1;
     if (!NIL_P(opts)) {
         Check_Type(opts, T_HASH);
@@ -278,11 +287,15 @@ VALUE rb_jq_filter(int argc, VALUE *argv, VALUE self) {
         opt = rb_hash_aref(opts, ID2SYM(rb_intern("multiple_outputs")));
         if (RTEST(opt)) multiple_outputs = 1;
+        opt = rb_hash_aref(opts, ID2SYM(rb_intern("sandbox")));
+        if (!NIL_P(opt)) sandbox = RTEST(opt) ? 1 : 0;
     }
     return rb_jq_filter_impl(json_cstr, filter_cstr,
                              raw_output, compact_output,
-                             sort_keys, multiple_outputs);
+                             sort_keys, multiple_outputs,
+                             sandbox);
 }
 /*
@@ -344,6 +357,8 @@ VALUE rb_jq_validate_filter(VALUE self, VALUE filter) {
         rb_raise(rb_eJQError, "Failed to initialize jq");
     }
+    jq_set_sandbox(jq);
     if (!jq_compile(jq, filter_cstr)) {
         jv error = jq_get_error_message(jq);

data/ext/jq/patches/0001-add-sandbox-mode.patch ADDED Viewed

@@ -0,0 +1,156 @@
+diff -ruN a/src/builtin.c b/src/builtin.c
+--- a/src/builtin.c	2026-02-20 23:06:20
++++ b/src/builtin.c	2026-02-20 23:09:28
+@@ -1229,6 +1229,11 @@
+ static jv f_env(jq_state *jq, jv input) {
+   jv_free(input);
+   jv env = jv_object();
++
++  // A sandboxed filter doesn't have access to environment variables,
++  // so in such a case we return the empty object without using environ.
++  if (jq_is_sandbox(jq)) return env;
++
+   const char *var, *val;
+   for (char **e = environ; *e != NULL; e++) {
+     var = e[0];
+diff -ruN a/src/compile.c b/src/compile.c
+--- a/src/compile.c	2026-02-20 23:06:20
++++ b/src/compile.c	2026-02-20 23:09:16
+@@ -1346,7 +1346,7 @@
+   return errors;
+ }
+-int block_compile(block b, struct bytecode** out, struct locfile* lf, jv args) {
++int block_compile(block b, struct bytecode** out, struct locfile* lf, jv args, int is_sandbox) {
+   struct bytecode* bc = jv_mem_alloc(sizeof(struct bytecode));
+   bc->parent = 0;
+   bc->nclosures = 0;
+@@ -1356,7 +1356,12 @@
+   bc->globals->cfunctions = jv_mem_calloc(MAX(ncfunc, 1), sizeof(struct cfunction));
+   bc->globals->cfunc_names = jv_array();
+   bc->debuginfo = jv_object_set(jv_object(), jv_string("name"), jv_null());
+-  jv env = jv_invalid();
++
++  // When sandboxed, we don't want to expose environment vars to the program,
++  // so we create an empty object which is already valid. This prevents a
++  // later step from creating a populated `$ENV` object, because that step
++  // only does so if the current value for `env` is invalid.
++  jv env = is_sandbox ? jv_object() : jv_invalid();
+   int nerrors = compile(bc, b, lf, args, &env);
+   jv_free(args);
+   jv_free(env);
+diff -ruN a/src/compile.h b/src/compile.h
+--- a/src/compile.h	2026-02-20 23:06:20
++++ b/src/compile.h	2026-02-20 23:09:07
+@@ -79,7 +79,7 @@
+ jv block_take_imports(block* body);
+ jv block_list_funcs(block body, int omit_underscores);
+-int block_compile(block, struct bytecode**, struct locfile*, jv);
++int block_compile(block, struct bytecode**, struct locfile*, jv, int is_sandbox);
+ void block_free(block);
+diff -ruN a/src/execute.c b/src/execute.c
+--- a/src/execute.c	2026-02-20 23:06:20
++++ b/src/execute.c	2026-02-20 23:08:55
+@@ -41,6 +41,7 @@
+   unsigned next_label;
+   int halted;
++  int sandbox;
+   jv exit_code;
+   jv error_message;
+@@ -1059,6 +1060,7 @@
+   jq->curr_frame = 0;
+   jq->error = jv_null();
++  jq->sandbox = 0;
+   jq->halted = 0;
+   jq->exit_code = jv_invalid();
+   jq->error_message = jv_invalid();
+@@ -1237,7 +1239,7 @@
+   if (nerrors == 0) {
+     nerrors = builtins_bind(jq, &program);
+     if (nerrors == 0) {
+-      nerrors = block_compile(program, &jq->bc, locations, args2obj(args));
++      nerrors = block_compile(program, &jq->bc, locations, args2obj(args), jq_is_sandbox(jq));
+     }
+   } else
+     jv_free(args);
+@@ -1312,6 +1314,14 @@
+ void jq_get_stderr_cb(jq_state *jq, jq_msg_cb *cb, void **data) {
+   *cb = jq->stderr_cb;
+   *data = jq->stderr_cb_data;
++}
++
++void jq_set_sandbox(jq_state *jq) {
++  jq->sandbox = 1;
++}
++
++int jq_is_sandbox(jq_state *jq) {
++  return jq->sandbox;
+ }
+ void
+diff -ruN a/src/jq.h b/src/jq.h
+--- a/src/jq.h	2026-02-20 23:06:20
++++ b/src/jq.h	2026-02-20 23:08:28
+@@ -30,6 +30,8 @@
+ jv jq_next(jq_state *);
+ void jq_teardown(jq_state **);
++void jq_set_sandbox(jq_state *);
++int jq_is_sandbox(jq_state *);
+ void jq_halt(jq_state *, jv, jv);
+ int jq_halted(jq_state *);
+ jv jq_get_exit_code(jq_state *);
+diff -ruN a/src/linker.c b/src/linker.c
+--- a/src/linker.c	2026-02-20 23:06:20
++++ b/src/linker.c	2026-02-20 23:09:45
+@@ -251,6 +251,15 @@
+     i--;
+     jv dep = jv_array_get(jv_copy(deps), i);
++    // Loading dependencies is not allowed when running in sandbox mode.
++    if (jq_is_sandbox(jq)) {
++      jq_report_error(jq, jv_string("jq: error: Loading dependencies (with import or include) is not allowed in sandbox mode"));
++      jv_free(deps);
++      jv_free(jq_origin);
++      jv_free(lib_origin);
++      return 1;
++    }
++
+     const char *as_str = NULL;
+     int is_data = jv_get_kind(jv_object_get(jv_copy(dep), jv_string("is_data"))) == JV_KIND_TRUE;
+     int raw = 0;
+@@ -420,16 +429,18 @@
+     return 1;
+   }
+-  jv home = get_home();
+-  if (jv_is_valid(home)) {
+-    /* Import ~/.jq as a library named "" found in $HOME or %USERPROFILE% */
+-    block import = gen_import_meta(gen_import("", NULL, 0),
+-        gen_const(JV_OBJECT(
+-            jv_string("optional"), jv_true(),
+-            jv_string("search"), home)));
+-    program = BLOCK(import, program);
+-  } else {    // silently ignore if home dir not determined
+-    jv_free(home);
++  if (!jq_is_sandbox(jq)) {
++    jv home = get_home();
++    if (jv_is_valid(home)) {
++      /* Import ~/.jq as a library named "" found in $HOME or %USERPROFILE% */
++      block import = gen_import_meta(gen_import("", NULL, 0),
++          gen_const(JV_OBJECT(
++              jv_string("optional"), jv_true(),
++              jv_string("search"), home)));
++      program = BLOCK(import, program);
++    } else {    // silently ignore if home dir not determined
++      jv_free(home);
++    }
+   }
+   nerrors = process_dependencies(jq, jq_get_jq_origin(jq), jq_get_prog_origin(jq), &program, &lib_state);

data/jq.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@
 Gem::Specification.new do |spec|
   spec.name = "jq"
-  spec.version = "1.0.0"
+  spec.version = "1.1.0"
   spec.authors = ["Persona Identities"]
   spec.email = ["rubygems@withpersona.com"]

data/lib/jq.rb CHANGED Viewed

@@ -45,7 +45,7 @@ module JQ
   ##
   # The gem version number
   #
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
   ##
   # Base exception class for all jq-related errors.

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jq
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Persona Identities
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-01-30 00:00:00.000000000 Z
+date: 2026-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mini_portile2
@@ -89,6 +89,7 @@ files:
 - ext/jq/extconf.rb
 - ext/jq/jq_ext.c
 - ext/jq/jq_ext.h
+- ext/jq/patches/0001-add-sandbox-mode.patch
 - jq.gemspec
 - lib/jq.rb
 - sig/jq.rbs