Permalink
Browse files

fix($parse): forbid __proto__ properties in angular expressions

__proto__ can be used to mess with global prototypes and it's
deprecated. Therefore, blacklisting it seems like a good idea.

BREAKING CHANGE:
The (deprecated) __proto__ propery does not work inside angular expressions
anymore.
  • Loading branch information...
1 parent 48fa3aa commit 6081f20769e64a800ee8075c168412b21f026d99 @thejh thejh committed with IgorMinar Jun 8, 2014
Showing with 22 additions and 0 deletions.
  1. +7 −0 src/ng/parse.js
  2. +15 −0 test/ng/parseSpec.js
View
@@ -41,6 +41,9 @@ function ensureSafeMemberName(name, fullExpression) {
throw $parseMinErr('isecgetset',
'Defining and looking up getters and setters in Angular expressions is disallowed! '
+'Expression: {0}', fullExpression);
+ } else if (name === "__proto__") {
+ throw $parseMinErr('isecproto', 'Using __proto__ in Angular expressions is disallowed! '
+ +'Expression: {0}', fullExpression);
}
return name;
}
@@ -696,6 +699,10 @@ Parser.prototype = {
i = indexFn(self, locals),
v;
+ if (i === "__proto__") {
+ throw $parseMinErr('isecproto', 'Using __proto__ in Angular expressions is disallowed! '
+ +'Expression: {0}', parser.text);
+ }
if (!o) return undefined;
v = ensureSafeObject(o[i], parser.text);
return v;
View
@@ -913,6 +913,21 @@ describe('parser', function() {
'{}.__lookupSetter__.call({}, "a")');
});
});
+
+ describe('__proto__', function() {
+ it('should NOT allow access to __proto__', function() {
+ expect(function() {
+ scope.$eval('{}.__proto__.foo = 1');
+ }).toThrowMinErr(
+ '$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
+ ' Expression: {}.__proto__.foo = 1');
+ expect(function() {
+ scope.$eval('{}["__pro"+"to__"].foo = 1');
+ }).toThrowMinErr(
+ '$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
+ ' Expression: {}["__pro"+"to__"].foo = 1');
+ });
+ });
});
describe('overriding constructor', function() {

0 comments on commit 6081f20

Please sign in to comment.