Mirrors/lodash
1
0
Fork 0
mirror of https://github.com/whoisclebs/lodash.git synced 2026-01-29 06:27:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent prototype pollution chaining to code execution via _.template (#4355)

Browse Source
This commit is contained in:
Alex Brasetvik
2019-07-09 18:09:55 +02:00
committed by John-David Dalton
parent 1f8ea07746
commit 60eb517911
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lodash.js
View File

@@ -14784,9 +14784,12 @@
, 'g'); , 'g');
// Use a sourceURL for easier debugging. // Use a sourceURL for easier debugging.
// The sourceURL gets injected into the source that's eval-ed, so be careful
// with lookup (in case of e.g. prototype pollution), and strip newlines if any.
// A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
var sourceURL = '//# sourceURL=' + var sourceURL = '//# sourceURL=' +
('sourceURL' in options (hasOwnProperty.call(options, 'sourceURL')
? options.sourceURL ? (options.sourceURL + '').replace(/[\r\n]/g, ' ')
: ('lodash.templateSources[' + (++templateCounter) + ']') : ('lodash.templateSources[' + (++templateCounter) + ']')
) + '\n'; ) + '\n';
@@ -14819,7 +14822,9 @@
// If `variable` is not specified wrap a with-statement around the generated // If `variable` is not specified wrap a with-statement around the generated
// code to add the data object to the top of the scope chain. // code to add the data object to the top of the scope chain.
var variable = options.variable; // Like with sourceURL, we take care to not check the option's prototype,
// as this configuration is a code injection vector.
var variable = hasOwnProperty.call(options, 'variable') && options.variable;
if (!variable) { if (!variable) {
source = 'with (obj) {\n' + source + '\n}\n'; source = 'with (obj) {\n' + source + '\n}\n';
} }