From a4cc7c065517f0fa132217161794b015ca537a5d Mon Sep 17 00:00:00 2001
From: Julian Gonggrijp <dev@juliangonggrijp.com>
Date: Sun, 28 Feb 2021 21:30:11 +0100
Subject: [PATCH] Add a test to confirm we are not vulnerable to CVE-2021-23337
 (#2911)

---
 test/utility.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/test/utility.js b/test/utility.js
index b0cd4941c..ec16afda6 100644
--- a/test/utility.js
+++ b/test/utility.js
@@ -465,4 +465,19 @@
     assert.strictEqual(template(), '<<\nx\n>>');
   });
 
+  QUnit.test('#2911 - _.template must not trigger CVE-2021-23337.', function(assert) {
+      QUnit.holyProperty = 'holy';
+      var invalidVariableNames = [
+          '){delete QUnit.holyProperty}; with(obj',
+          '(x = QUnit.holyProperty = "evil"), obj',
+          'document.write("got you!")'
+      ];
+      _.each(invalidVariableNames, function(name) {
+          assert.throws(function() { _.template('', { variable: name })(); });
+      });
+      var holy = QUnit.holyProperty;
+      delete QUnit.holyProperty;
+      assert.strictEqual(holy, 'holy');
+  });
+
 }());