Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allowProtoMethods/Properties runtime options do not work for nested objects #1858

Open
vassudanagunta opened this issue May 9, 2022 · 1 comment
Open

allowProtoMethods/Properties runtime options do not work for nested objects #1858

vassudanagunta opened this issue May 9, 2022 · 1 comment
Labels
needs investigation

Comments

@vassudanagunta
Copy link

vassudanagunta commented May 9, 2022
edited

For example, given the following input:

function TestClass() {}
TestClass.prototype.aMethod = function() {
    return 'returnValue'
};
TestClass.prototype.nested = new TestClass()
const context = new TestClass()

the following,

const template = Handlebars.compile('{{nested.aMethod}}')
template(context, {allowProtoMethodsByDefault: true})

should yield 'returnValue'. Instead, it yields 'undefined'.

PR with failing test-cases submitted: #1859.
vassudanagunta added a commit to vassudanagunta/handlebars.js that referenced this issue May 9, 2022
@vassudanagunta
test: cover access control to prototype methods/properties on nested …
e5d3e96 
…objects (handlebars-lang#1858)

- per issue handlebars-lang#1858
- adds cases for nested input objects to existing cases
- very minor refactor to re-use the same test logic, keep tests readable.
@vassudanagunta vassudanagunta mentioned this issue May 9, 2022
Draft
@vassudanagunta
Copy link
Author

vassudanagunta commented May 9, 2022
edited

Workaround:

{{#with nested}}{{this.aMethod}}{{/with}}

The fact that this workaround works also shows fixing this issue does not increase access / loosen security, it would just restore API consistency, treating nested objects the same regardless of access mode.

The other option would be to disallow the workaround. This would at least restore consistency to the security restriction.

vassudanagunta added a commit to vassudanagunta/handlebars.js that referenced this issue May 9, 2022
@vassudanagunta
test: cover access control to prototype methods/properties on nested …
3c16973 
…objects (handlebars-lang#1858)

- per issue handlebars-lang#1858
- adds cases for nested input objects to existing cases
- very minor refactor to re-use the same test logic, keep tests readable.
@vassudanagunta vassudanagunta mentioned this issue May 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaylinski @vassudanagunta