@@ -2043,28 +2043,56 @@ describe('parse', function() {
20432043
20442044 describe ( 'security' , function ( ) {
20452045
2046- it ( 'should not allow calling Function from an object property ' , function ( ) {
2046+ it ( 'should not allow calling Function/eval via a symbol ' , function ( ) {
20472047 assert . throws ( function ( ) {
2048- math . eval ( '[].map.constructor("console.log(\\"hacked...\\")")()' )
2048+ math . eval ( 'disguised("console.log(\\"hacked...\\")")()' , { disguised : eval } )
2049+ } , / E r r o r : C a l l i n g " e v a l " i s n o t a l l o w e d / )
2050+
2051+ assert . throws ( function ( ) {
2052+ math . eval ( 'disguised("console.log(\\"hacked...\\")")()' , { disguised : Function } )
20492053 } , / E r r o r : C a l l i n g " F u n c t i o n " i s n o t a l l o w e d / )
20502054 } )
20512055
2052- it ( 'should not allow calling Function' , function ( ) {
2056+ it ( 'should not allow calling Function/eval via an object property' , function ( ) {
2057+ assert . throws ( function ( ) {
2058+ math . eval ( '[].map.constructor("console.log(\\"hacked...\\")")()' )
2059+ } , / E r r o r : C a l l i n g " F u n c t i o n " i s n o t a l l o w e d / )
2060+
2061+ assert . throws ( function ( ) {
2062+ math . eval ( 'obj.disguised("console.log(\\"hacked...\\")")()' , { obj : { disguised : eval } } )
2063+ } , / E r r o r : C a l l i n g " e v a l " i s n o t a l l o w e d / )
2064+
20532065 assert . throws ( function ( ) {
2054- math . eval ( 'disguised("console.log(\\"hacked...\\")")()' , { disguised : Function } )
20552066 math . eval ( 'obj.disguised("console.log(\\"hacked...\\")")()' , { obj : { disguised : Function } } )
2056- math . eval ( 'fn()("console.log(\\"hacked...\\")")()' , { fn : function ( ) { return Function } } )
20572067 } , / E r r o r : C a l l i n g " F u n c t i o n " i s n o t a l l o w e d / )
20582068 } )
20592069
2060- it ( 'should not allow calling eval' , function ( ) {
2070+ it ( 'should not allow calling Function/eval when returned by a function' , function ( ) {
2071+ assert . throws ( function ( ) {
2072+ math . eval ( 'fn()("console.log(\\"hacked...\\")")()' , { fn : function ( ) { return Function } } )
2073+ } , / E r r o r : C a l l i n g " F u n c t i o n " i s n o t a l l o w e d / )
2074+
20612075 assert . throws ( function ( ) {
2062- math . eval ( 'disguised("console.log(\\"hacked...\\")")()' , { disguised : eval } )
2063- math . eval ( 'obj.disguised("console.log(\\"hacked...\\")")()' , { obj : { disguised : eval } } )
20642076 math . eval ( 'fn()("console.log(\\"hacked...\\")")()' , { fn : function ( ) { return eval } } )
20652077 } , / E r r o r : C a l l i n g " e v a l " i s n o t a l l o w e d / )
20662078 } )
20672079
2080+ it ( 'should not allow calling Function/eval via call/apply' , function ( ) {
2081+ assert . throws ( function ( ) {
2082+ math . eval ( '[].map.constructor.call(null, "console.log(\\"hacked...\\")")()' )
2083+ } , / E r r o r : C a l l i n g " c a l l " i s n o t a l l o w e d / )
2084+
2085+ assert . throws ( function ( ) {
2086+ math . eval ( '[].map.constructor.apply(null, ["console.log(\\"hacked...\\")"])()' )
2087+ } , / E r r o r : C a l l i n g " a p p l y " i s n o t a l l o w e d / )
2088+ } )
2089+
2090+ it ( 'should not allow calling Function/eval via bind' , function ( ) {
2091+ assert . throws ( function ( ) {
2092+ math . eval ( '[].map.constructor.bind()("console.log(\\"hacked...\\")")()' )
2093+ } , / E r r o r : C a l l i n g " b i n d " i s n o t a l l o w e d / )
2094+ } )
2095+
20682096 } ) ;
20692097
20702098} ) ;
0 commit comments