From 60eb51791171412bdd7a2bb55415c3821c5240c4 Mon Sep 17 00:00:00 2001
From: Alex Brasetvik <alex@brasetvik.com>
Date: Tue, 9 Jul 2019 18:09:55 +0200
Subject: [PATCH] Prevent prototype pollution chaining to code execution via
 _.template (#4355)

---
 lodash.js | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lodash.js b/lodash.js
index 5c308f605..f60bbd95e 100644
--- a/lodash.js
+++ b/lodash.js
@@ -14784,9 +14784,12 @@
       , 'g');
 
       // Use a sourceURL for easier debugging.
+      // The sourceURL gets injected into the source that's eval-ed, so be careful
+      // with lookup (in case of e.g. prototype pollution), and strip newlines if any.
+      // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
       var sourceURL = '//# sourceURL=' +
-        ('sourceURL' in options
-          ? options.sourceURL
+        (hasOwnProperty.call(options, 'sourceURL')
+          ? (options.sourceURL + '').replace(/[\r\n]/g, ' ')
           : ('lodash.templateSources[' + (++templateCounter) + ']')
         ) + '\n';
 
@@ -14819,7 +14822,9 @@
 
       // If `variable` is not specified wrap a with-statement around the generated
       // code to add the data object to the top of the scope chain.
-      var variable = options.variable;
+      // Like with sourceURL, we take care to not check the option's prototype,
+      // as this configuration is a code injection vector.
+      var variable = hasOwnProperty.call(options, 'variable') && options.variable;
       if (!variable) {
         source = 'with (obj) {\n' + source + '\n}\n';
       }