Add a test to confirm we are not vulnerable to CVE-2021-23337 (#2911)

jashkenas · Feb 28, 2021 · a4cc7c0 · a4cc7c0
1 parent 745e9b7
commit a4cc7c0
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/test/utility.js b/test/utility.js
@@ -465,4 +465,19 @@
     assert.strictEqual(template(), '<<\nx\n>>');
   });
 
+  QUnit.test('#2911 - _.template must not trigger CVE-2021-23337.', function(assert) {
+      QUnit.holyProperty = 'holy';
+      var invalidVariableNames = [
+          '){delete QUnit.holyProperty}; with(obj',
+          '(x = QUnit.holyProperty = "evil"), obj',
+          'document.write("got you!")'
+      ];
+      _.each(invalidVariableNames, function(name) {
+          assert.throws(function() { _.template('', { variable: name })(); });
+      });
+      var holy = QUnit.holyProperty;
+      delete QUnit.holyProperty;
+      assert.strictEqual(holy, 'holy');
+  });
+
 }());