kylefang/angular.js
1
0
Fork 0
mirror of https://github.com/zhigang1992/angular.js.git synced 2026-04-24 03:55:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix($parse): forbid referencing Object in angular expressions

Browse Source 
It was possible to run arbitrary JS from inside angular expressions using the
`Object.getOwnPropertyDescriptor` method like this since commit 4ab16aaa:
    ''.sub.call.call(
      ({})["constructor"].getOwnPropertyDescriptor(''.sub.__proto__, "constructor").value,
      null,
      "alert(1)"
    )()
Fix that by blocking access to `Object` because `Object` isn't accessible
without tricks anyway and it provides some other nasty functions.

BREAKING CHANGE:
This prevents the use of `Object` inside angular expressions.
If you need Object.keys, make it accessible in the scope.
This commit is contained in:
Jann Horn
2014-06-08 19:15:25 +02:00
committed by Igor Minar
parent 0c80df21b6
commit bc6fb7cc94
2 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
test/ng/parseSpec.js
View File

@@ -918,6 +918,33 @@ describe('parser', function() {
expect(count).toBe(1);
});
describe('Object constructor', function() {
it('should NOT allow access to scope constructor', function() {
expect(function() {
scope.$eval('constructor.keys({})');
}).toThrowMinErr(
'$parse', 'isecfld', 'Referencing "constructor" field in Angular expressions '+
'is disallowed! Expression: constructor.keys({})');
});
it('should NOT allow access to Object constructor in getter', function() {
expect(function() {
scope.$eval('{}["constructor"]');
}).toThrowMinErr(
'$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
'Expression: {}["constructor"]');
});
it('should NOT allow access to Object constructor that has been aliased', function() {
scope.foo = { "bar": Object };
expect(function() {
scope.$eval('foo["bar"]');
}).toThrowMinErr(
'$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
'Expression: foo["bar"]');
});
});
it('should call the function once when it is part of the context on property lookup function', function() {
var count = 0;