Skip to content

fix(filter): allow bare @ adjacent to an operator without whitespace#267

Open
spokodev wants to merge 1 commit into
JSONPath-Plus:mainfrom
spokodev:fix/filter-current-node-operator
Open

fix(filter): allow bare @ adjacent to an operator without whitespace#267
spokodev wants to merge 1 commit into
JSONPath-Plus:mainfrom
spokodev:fix/filter-current-node-operator

Conversation

@spokodev

@spokodev spokodev commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bug

A filter with a bare @ (the current node) placed directly against an operator, with no whitespace, fails to evaluate:

JSONPath({json: [0, 1, 2, 3], path: '$[?(@>1)]'});
// Error: Unexpected "@" at character 0   (safe eval)
// Error: Invalid or unexpected token     (native eval)

The same query works only if a space is added: $[?(@ > 1)].

Cause

In _eval, the current-node token @ is rewritten to the sandbox variable _$_v by:

.replaceAll(/@([.\s)[])/gu, '_$_v$1');

The character class only allows @ to be followed by ., whitespace, ) or [. When @ is immediately followed by a comparison or arithmetic operator (>, <, ==, !=, %, +, -, *, /, &, |), it is left as a literal @, so the compiled filter script begins with @ and neither the safe (jsep) nor the native (vm) evaluator can parse it.

Fix

Add those operator characters to the delimiter class:

.replaceAll(/@([-.\s)[<>=!%*/+&|])/gu, '_$_v$1');

@ inside identifiers and quoted keys is still protected (it is only rewritten when followed by an operator/delimiter, never a word character), so cases like @['@tag'] are unaffected.

Adds a regression test covering @>, @<, @=== and @!== with no surrounding whitespace. Full suite passes and lint is clean.

The current-node token @ was only substituted for _$_v when followed by
'.', whitespace, ')' or '['. A bare @ directly before a comparison or
arithmetic operator (e.g. $[?(@>1)] or $[?(@===2)]) was left untouched,
so the compiled filter script started with a literal @ and failed to
parse under both the safe and native evaluators. Extend the delimiter
set with the operator characters so these expressions evaluate; @ inside
identifiers and quoted keys (e.g. @['@tag']) stays protected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant