mirror of
https://github.com/whoisclebs/lodash.git
synced 2026-02-03 00:27:50 +00:00
* Fix prototype pollution in _.set and related functions Prevents setting dangerous properties (__proto__, constructor, prototype) that could lead to prototype pollution vulnerabilities. * Fix command injection vulnerability in _.template - Add validation for the variable option to prevent injection attacks - Improve sourceURL whitespace normalization to prevent code injection * Fix cyclic value comparison in _.isEqual Properly checks both directions when comparing cyclic values to ensure correct equality comparisons for circular references. * Improve _.sortBy and _.orderBy performance and array handling - Add early return for empty arrays in sorted index operations - Improve array iteratee handling to support nested property paths - Add missing keysIn import in baseClone * Refactor _.trim, _.trimEnd, and _.trimStart implementations Extract shared trim logic into reusable utilities (_baseTrim, _trimmedEndIndex) for better code organization and consistency. Update related functions (toNumber, parseInt) to use new utilities. Improve comment accuracy. * Add documentation for predicate composition with _.overEvery and _.overSome Enhance documentation to show how _.matches and _.matchesProperty can be combined using _.overEvery and _.overSome for more powerful filtering. Add examples demonstrating shorthand predicate syntax. * Bump to v4.17.21 * Fix prototype pollution in _.unset and _.omit Prevent prototype pollution on baseUnset function by: - Blocking "__proto__" if not an own property - Blocking "constructor.prototype" chains (except when starting at primitive root) - Skipping non-string keys See: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg * Update JSDoc documentation to align with main branch - Fix sortBy example ages (40 -> 30) for correct sort order demonstration - Fix _setCacheHas return type (number -> boolean)
This commit is contained in:
John-David Dalton
committed by
GitHub
GitHub
parent
1068171675
commit
87a677c811
29
template.js
29
template.js
@@ -3,11 +3,26 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
|
||||
/** Used as a safe reference for `undefined` in pre-ES5 environments. */
|
||||
var undefined;
|
||||
|
||||
/** Error message constants. */
|
||||
var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`';
|
||||
|
||||
/** Used to match empty string literals in compiled template source. */
|
||||
var reEmptyStringLeading = /\b__p \+= '';/g,
|
||||
reEmptyStringMiddle = /\b(__p \+=) '' \+/g,
|
||||
reEmptyStringTrailing = /(__e\(.*?\)|\b__t\)) \+\n'';/g;
|
||||
|
||||
/**
|
||||
* Used to validate the `validate` option in `_.template` variable.
|
||||
*
|
||||
* Forbids characters which could potentially change the meaning of the function argument definition:
|
||||
* - "()," (modification of function parameters)
|
||||
* - "=" (default value)
|
||||
* - "[]{}" (destructuring of function parameters)
|
||||
* - "/" (beginning of a comment)
|
||||
* - whitespace
|
||||
*/
|
||||
var reForbiddenIdentifierChars = /[()=,{}\[\]\/\s]/;
|
||||
|
||||
/**
|
||||
* Used to match
|
||||
* [ES template delimiters](http://ecma-international.org/ecma-262/7.0/#sec-template-literal-lexical-components).
|
||||
@@ -162,11 +177,11 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
|
||||
|
||||
// Use a sourceURL for easier debugging.
|
||||
// The sourceURL gets injected into the source that's eval-ed, so be careful
|
||||
// with lookup (in case of e.g. prototype pollution), and strip newlines if any.
|
||||
// A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
|
||||
// to normalize all kinds of whitespace, so e.g. newlines (and unicode versions of it) can't sneak in
|
||||
// and escape the comment, thus injecting code that gets evaled.
|
||||
var sourceURL = hasOwnProperty.call(options, 'sourceURL')
|
||||
? ('//# sourceURL=' +
|
||||
(options.sourceURL + '').replace(/[\r\n]/g, ' ') +
|
||||
(options.sourceURL + '').replace(/\s/g, ' ') +
|
||||
'\n')
|
||||
: '';
|
||||
|
||||
@@ -199,12 +214,16 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
|
||||
|
||||
// If `variable` is not specified wrap a with-statement around the generated
|
||||
// code to add the data object to the top of the scope chain.
|
||||
// Like with sourceURL, we take care to not check the option's prototype,
|
||||
// as this configuration is a code injection vector.
|
||||
var variable = hasOwnProperty.call(options, 'variable') && options.variable;
|
||||
if (!variable) {
|
||||
source = 'with (obj) {\n' + source + '\n}\n';
|
||||
}
|
||||
// Throw an error if a forbidden character was found in `variable`, to prevent
|
||||
// potential command injection attacks.
|
||||
else if (reForbiddenIdentifierChars.test(variable)) {
|
||||
throw new Error(INVALID_TEMPL_VAR_ERROR_TEXT);
|
||||
}
|
||||
|
||||
// Cleanup code by stripping empty strings.
|
||||
source = (isEvaluating ? source.replace(reEmptyStringLeading, '') : source)
|
||||
.replace(reEmptyStringMiddle, '$1')
|
||||
|
||||
Reference in New Issue
Block a user