Permalink
Browse files

fix($parse): forbid referencing Object in angular expressions

It was possible to run arbitrary JS from inside angular expressions using the
`Object.getOwnPropertyDescriptor` method like this since commit 4ab16aa:
    ''.sub.call.call(
      ({})["constructor"].getOwnPropertyDescriptor(''.sub.__proto__, "constructor").value,
      null,
      "alert(1)"
    )()
Fix that by blocking access to `Object` because `Object` isn't accessible
without tricks anyway and it provides some other nasty functions.

BREAKING CHANGE:
This prevents the use of `Object` inside angular expressions.
If you need Object.keys, make it accessible in the scope.
  • Loading branch information...
1 parent 2df7219 commit 528be29d1662122a34e204dd607e1c0bd9c16bbc @thejh thejh committed with IgorMinar Jun 8, 2014
Showing with 32 additions and 0 deletions.
  1. +5 −0 src/ng/parse.js
  2. +27 −0 test/ng/parseSpec.js
View
@@ -57,6 +57,11 @@ function ensureSafeObject(obj, fullExpression) {
throw $parseMinErr('isecdom',
'Referencing DOM nodes in Angular expressions is disallowed! Expression: {0}',
fullExpression);
+ } else if (// isObject(obj)
+ obj.getOwnPropertyNames || obj.getOwnPropertyDescriptor) {
+ throw $parseMinErr('isecobj',
+ 'Referencing Object in Angular expressions is disallowed! Expression: {0}',
+ fullExpression);
}
}
return obj;
View
@@ -743,6 +743,33 @@ describe('parser', function() {
});
});
+ describe('Object constructor', function() {
+ it('should NOT allow access to scope constructor', function() {
+ expect(function() {
+ scope.$eval('constructor.keys({})');
+ }).toThrowMinErr(
+ '$parse', 'isecfld', 'Referencing "constructor" field in Angular expressions '+
+ 'is disallowed! Expression: constructor.keys({})');
+ });
+
+ it('should NOT allow access to Object constructor in getter', function() {
+ expect(function() {
+ scope.$eval('{}["constructor"]');
+ }).toThrowMinErr(
+ '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
+ 'Expression: {}["constructor"]');
+ });
+
+ it('should NOT allow access to Object constructor that has been aliased', function() {
+ scope.foo = { "bar": Object };
+ expect(function() {
+ scope.$eval('foo["bar"]');
+ }).toThrowMinErr(
+ '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
+ 'Expression: foo["bar"]');
+
+ });
+ });
describe('Window and $element/node', function() {
it('should NOT allow access to the Window or DOM when indexing', inject(function($window, $document) {

0 comments on commit 528be29

Please sign in to comment.