Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: access control to prototype properties via whitelist #1633

Merged
merged 4 commits into from Jan 8, 2020
Merged

feat: access control to prototype properties via whitelist #1633

merged 4 commits into from Jan 8, 2020

Commits on Jan 8, 2020

  1. feat: access control to prototype properties via whitelist 

    Disallow access to prototype properties and methods by default.
Access to properties is always checked via
`Object.prototype.hasOwnProperty.call(parent, propertyName)`.

New runtime options:
- **allowedProtoMethods**: a string-to-boolean map of property-names that are allowed if they are methods of the parent object.
- **allowedProtoProperties**: a string-to-boolean map of property-names that are allowed if they are properties but not methods of the parent object.

```js
const template = handlebars.compile('{{aString.trim}}')
const result = template({ aString: '  abc  ' })
// result is empty, because trim is defined at String prototype
```

```js
const template = handlebars.compile('{{aString.trim}}')
const result = template({ aString: '  abc  ' }, {
  allowedProtoMethods: {
    trim: true
  }
})
// result = 'abc'
```

Implementation details: The method now "container.lookupProperty"
handles the prototype-checks and the white-lists. It is used in
- JavaScriptCompiler#nameLookup
- The "lookup"-helper (passed to all helpers as "options.lookupProperty")
- The "lookup" function at the container, which is used for recursive lookups in "compat" mode

Compatibility:
- **Old precompiled templates work with new runtimes**: The "options.lookupPropery"-function is passed to the helper by a wrapper, not by the compiled templated.
- **New templates work with old runtimes**: The template contains a function that is used as fallback if the "lookupProperty"-function cannot be found at the container. However, the runtime-options "allowedProtoProperties" and "allowedProtoMethods" only work with the newest runtime.

BREAKING CHANGE:
- access to prototype properties is forbidden completely by default
    @nknapp
    nknapp committed Jan 8, 2020
    Copy the full SHA
    33a3b46 View commit details
    Browse the repository at this point in the history

  2. test: show diff when test:bin fails

    @nknapp
    nknapp committed Jan 8, 2020
    Copy the full SHA
    461b837 View commit details
    Browse the repository at this point in the history

  3. test: add path to nodeJs when running test:bin 

    - this allows the test to be run in a debugger
  without the complete PATH
    @nknapp
    nknapp committed Jan 8, 2020
    Copy the full SHA
    e0b349c View commit details
    Browse the repository at this point in the history

  4. refactor: fix typo in private test method

    @nknapp
    nknapp committed Jan 8, 2020
    Copy the full SHA
    2648921 View commit details
    Browse the repository at this point in the history