Issue backdrop-contrib#1: address SA-CONTRIB-2019-083

FeedsJSONPathParser.inc

@@ -3,6 +3,9 @@
  * @file
  * Extends FeedsParser class to add JSONPath parsing.
  */
+
+use Flow\JSONPath\JSONPath;
+
 class FeedsJSONPathParser extends FeedsParser {
 
   /**
@@ -49,7 +52,6 @@ class FeedsJSONPathParser extends FeedsParser {
     if (!is_array($array)) {
       throw new Exception(t('There was an error decoding the JSON document.'));
     }
-    require_once backdrop_get_path('module', 'feeds_jsonpath_parser') . '/jsonpath/jsonpath.php';
 
     $all_items = $this->jsonPath($array, $source_config['context']);
     unset($array);
@@ -97,25 +99,33 @@ class FeedsJSONPathParser extends FeedsParser {
   }
 
   /**
-   * Utilizes the jsonPath function from jsonpath-0.8.1.php.
-   *
-   * jsonPath returns false if the expression returns zero results and that will
-   * mess up our for loops, so return an empty array instead.
+   * Searches an array via JSONPath.
    *
    * @param array $array
    *   The input array to parse.
    * @param string $expression
    *   The JSONPath expression.
    *
    * @return array
-   *   Returns an array that is the output of jsonPath.
+   *   Returns the parsed jsonpath expression.
    *
-   * @todo
-   *   Firgure out error handling.
+   * @throws RuntimeException
+   *   In case the parsed json is not an array.
    */
   protected function jsonPath($array, $expression) {
-    $result = jsonPath($array, $expression);
-    return ($result === FALSE) ? array() : $result;
+    $result = (new JSONPath($array))->find($expression)->data();
+
+    // If the returned result is empty, just return an empty array.
+    if (empty($result)) {
+      return array();
+    }
+
+    // If the parsed json is not an array, throw an exception.
+    if (!is_array($result)) {
+      throw new RuntimeException(t('The parsed json must return an array.'));
+    }
+
+    return $result;
   }
 
   /**
@@ -422,6 +432,7 @@ class FeedsJSONPathParser extends FeedsParser {
    *   The item to alter.
    * @param FeedsSource $source
    *   The feed source.
+   *
    * @return true|null
    *   Returns true if the item should be skipped.
    */

README.md

@@ -5,7 +5,7 @@ JSONPath Parser is a Feeds parser that allows parsing JSON files using the
 JSONPath library. It is very similar to the Feeds XPath Parser module.
 
 Documentation for JSONPath can be seen here:
-https://goessner.net/articles/JsonPath/
+https://github.com/FlowCommunications/JSONPath
 
 Installation
 ------------

feeds_jsonpath_parser.module

@@ -9,6 +9,18 @@
  */
 function feeds_jsonpath_parser_autoload_info() {
   return array(
+    'JSONPath' => 'libraries/JSONPath/src/Flow/JSONPath/JSONPath.php',
+    'JSONPathException' => 'libraries/JSONPath/src/Flow/JSONPath/JSONPathException.php',
+    'JSONPathLexer' => 'libraries/JSONPath/src/Flow/JSONPath/JSONPathLexer.php',
+    'JSONPathToken' => 'libraries/JSONPath/src/Flow/JSONPath/JSONPathToken.php',
+    'AccessHelper' => 'libraries/JSONPath/src/Flow/JSONPath/AccessHelper.php',
+    'AbstractFilter' => 'libraries/JSONPath/src/Flow/JSONPath/Filters/AbstractFilter.php',
+    'IndexesFilter' => 'libraries/JSONPath/src/Flow/JSONPath/Filters/IndexesFilter.php',
+    'IndexFilter' => 'libraries/JSONPath/src/Flow/JSONPath/Filters/IndexFilter.php',
+    'QueryMatchFilter' => 'libraries/JSONPath/src/Flow/JSONPath/Filters/QueryMatchFilter.php',
+    'QueryResultFilter' => 'libraries/JSONPath/src/Flow/JSONPath/Filters/QueryResultFilter.php',
+    'RecursiveFilter' => 'libraries/JSONPath/src/Flow/JSONPath/Filters/RecursiveFilter.php',
+    'SliceFilter' => 'libraries/JSONPath/src/Flow/JSONPath/Filters/SliceFilter.php',
     'FeedsJSONPathParser' => 'FeedsJSONPathParser.inc',
   );
 }

libraries/JSONPath/.gitignore

@@ -0,0 +1,5 @@
+vendor
+composer.lock
+
+.idea
+

libraries/JSONPath/.travis.yml

@@ -0,0 +1,13 @@
+language: php
+php:
+  - '5.4'
+  - '5.6'
+  - '7.1'
+  - '7.2'
+  - 'nightly'
+
+install:
+  - composer install
+
+script:
+  - vendor/bin/phpunit -c phpunit.xml

libraries/JSONPath/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Flow Communications
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

libraries/JSONPath/README.md

@@ -0,0 +1,133 @@
+JSONPath
+=============
+
+This is a [JSONPath](http://goessner.net/articles/JsonPath/) implementation for PHP based on Stefan Goessner's JSONPath script.
+
+JSONPath is an XPath-like expression language for filtering, flattening and extracting data.
+
+I believe that this improves on the original script (which was last updated in 2007) by doing a few things:
+
+-   Object-oriented code (should be easier to manage or extend in future)
+-   Expressions are parsed into tokens using some code cribbed from Doctrine Lexer and cached
+-   There is no `eval()` in use
+-   Performance is pretty much the same
+-   Any combination of objects/arrays/ArrayAccess-objects can be used as the data input which is great if you're de-serializing JSON in to objects
+    or if you want to process your own data structures.
+
+Installation
+---
+
+```bash
+composer require flow/jsonpath
+```
+
+JSONPath Examples
+---
+
+JSONPath                  | Result
+--------------------------|-------------------------------------
+`$.store.books[*].author` | the authors of all books in the store
+`$..author`                | all authors
+`$.store..price`           | the price of everything in the store.
+`$..books[2]`              | the third book
+`$..books[(@.length-1)]`   | the last book in order.
+`$..books[-1:]`            | the last book in order.
+`$..books[0,1]`            | the first two books
+`$..books[:2]`             | the first two books
+`$..books[::2]`            | every second book starting from first one
+`$..books[1:6:3]`          | every third book starting from 1 till 6
+`$..books[?(@.isbn)]`      | filter all books with isbn number
+`$..books[?(@.price<10)]`  | filter all books cheapier than 10
+`$..*`                     | all elements in the data (recursively extracted)
+
+
+Expression syntax
+---
+
+Symbol                | Description
+----------------------|-------------------------
+`$`                   | The root object/element (not strictly necessary)
+`@`                   | The current object/element
+`.` or `[]`           | Child operator
+`..`                  | Recursive descent
+`*`                   | Wildcard. All child elements regardless their index.
+`[,]`                 | Array indices as a set
+`[start:end:step]`    | Array slice operator borrowed from ES4/Python.
+`?()`                 | Filters a result set by a script expression
+`()`                  | Uses the result of a script expression as the index
+
+PHP Usage
+---
+
+```php
+$data = ['people' => [['name' => 'Joe'], ['name' => 'Jane'], ['name' => 'John']]];
+$result = (new JSONPath($data))->find('$.people.*.name'); // returns new JSONPath
+// $result[0] === 'Joe'
+// $result[1] === 'Jane'
+// $result[2] === 'John'
+```
+
+### Magic method access
+
+The options flag `JSONPath::ALLOW_MAGIC` will instruct JSONPath when retrieving a value to first check if an object
+has a magic `__get()` method and will call this method if available. This feature is *iffy* and
+not very predictable as:
+
+-  wildcard and recursive features will only look at public properties and can't smell which properties are magically accessible
+-  there is no `property_exists` check for magic methods so an object with a magic `__get()` will always return `true` when checking
+   if the property exists
+-   any errors thrown or unpredictable behaviour caused by fetching via `__get()` is your own problem to deal with
+
+```php
+$jsonPath = new JSONPath($myObject, JSONPath::ALLOW_MAGIC);
+```
+
+For more examples, check the JSONPathTest.php tests file.
+
+Script expressions
+-------
+
+Script expressions are not supported as the original author intended because:
+
+-   This would only be achievable through `eval` (boo).
+-   Using the script engine from different languages defeats the purpose of having a single expression evaluate the same way in different
+    languages which seems like a bit of a flaw if you're creating an abstract expression syntax.
+
+So here are the types of query expressions that are supported:
+
+	[?(@._KEY_ _OPERATOR_ _VALUE_)] // <, >, !=, and ==
+	Eg.
+	[?(@.title == "A string")] //
+	[?(@.title = "A string")]
+	// A single equals is not an assignment but the SQL-style of '=='
+
+Similar projects
+----------------
+
+[JMESPath](https://github.com/jmespath) does similiar things, is full of features and has a PHP implementation
+
+The [Hash](http://book.cakephp.org/2.0/en/core-utility-libraries/hash.html) utility from CakePHP does some similar things 
+
+The original JsonPath implementations is available at [http://code.google.com/p/jsonpath]() and re-hosted for composer
+here [Peekmo/JsonPath](https://github.com/Peekmo/JsonPath).
+
+[ObjectPath](http://objectpath.org) ([https://github.com/adriank/ObjectPath]()) appears to be a Python/JS implementation
+with a new name and extra features.
+
+Changelog
+---------
+
+### 0.3.0
+ - Added JSONPathToken class as value object
+ - Lexer clean up and refactor
+ - Updated the lexing and filtering of the recursive token ("..") to allow for a combination of recursion
+   and filters, eg. $..[?(@.type == 'suburb')].name
+
+### 0.2.1 - 0.2.5
+ - Various bug fixes and clean up
+
+### 0.2.0
+ - Added a heap of array access features for more creative iterating and chaining possibilities
+
+### 0.1.x
+ - Init