Skip to content

Commit 6081f20

Browse files
thejhIgorMinar
thejh
authored and
IgorMinar
committed
fix($parse): forbid __proto__ properties in angular expressions
__proto__ can be used to mess with global prototypes and it's deprecated. Therefore, blacklisting it seems like a good idea. BREAKING CHANGE: The (deprecated) __proto__ propery does not work inside angular expressions anymore.
1 parent 48fa3aa commit 6081f20

File tree

2 files changed

+22
-0
lines changed

2 files changed

+22
-0
lines changed

src/ng/parse.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,9 @@ function ensureSafeMemberName(name, fullExpression) {
4141
throw $parseMinErr('isecgetset',
4242
'Defining and looking up getters and setters in Angular expressions is disallowed! '
4343
+'Expression: {0}', fullExpression);
44+
} else if (name === "__proto__") {
45+
throw $parseMinErr('isecproto', 'Using __proto__ in Angular expressions is disallowed! '
46+
+'Expression: {0}', fullExpression);
4447
}
4548
return name;
4649
}
@@ -696,6 +699,10 @@ Parser.prototype = {
696699
i = indexFn(self, locals),
697700
v;
698701

702+
if (i === "__proto__") {
703+
throw $parseMinErr('isecproto', 'Using __proto__ in Angular expressions is disallowed! '
704+
+'Expression: {0}', parser.text);
705+
}
699706
if (!o) return undefined;
700707
v = ensureSafeObject(o[i], parser.text);
701708
return v;

test/ng/parseSpec.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -913,6 +913,21 @@ describe('parser', function() {
913913
'{}.__lookupSetter__.call({}, "a")');
914914
});
915915
});
916+
917+
describe('__proto__', function() {
918+
it('should NOT allow access to __proto__', function() {
919+
expect(function() {
920+
scope.$eval('{}.__proto__.foo = 1');
921+
}).toThrowMinErr(
922+
'$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
923+
' Expression: {}.__proto__.foo = 1');
924+
expect(function() {
925+
scope.$eval('{}["__pro"+"to__"].foo = 1');
926+
}).toThrowMinErr(
927+
'$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
928+
' Expression: {}["__pro"+"to__"].foo = 1');
929+
});
930+
});
916931
});
917932

918933
describe('overriding constructor', function() {

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy