Skip to content

Commit e7b28ea

Browse files
alexbrasetvikalexbrasetvik
authored
Sanitize sourceURL so it cannot affect evaled code (#4518)
1 parent 0cec225 commit e7b28ea

File tree

2 files changed

+15
-5
lines changed

2 files changed

+15
-5
lines changed

lodash.js

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14821,11 +14821,11 @@
1482114821

1482214822
// Use a sourceURL for easier debugging.
1482314823
// The sourceURL gets injected into the source that's eval-ed, so be careful
14824-
// with lookup (in case of e.g. prototype pollution), and strip newlines if any.
14825-
// A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
14824+
// to normalize all kinds of whitespace, so e.g. newlines (and unicode versions of it) can't sneak in
14825+
// and escape the comment, thus injecting code that gets evaled.
1482614826
var sourceURL = '//# sourceURL=' +
1482714827
(hasOwnProperty.call(options, 'sourceURL')
14828-
? (options.sourceURL + '').replace(/[\r\n]/g, ' ')
14828+
? (options.sourceURL + '').replace(/\s/g, ' ')
1482914829
: ('lodash.templateSources[' + (++templateCounter) + ']')
1483014830
) + '\n';
1483114831

@@ -14858,8 +14858,6 @@
1485814858

1485914859
// If `variable` is not specified wrap a with-statement around the generated
1486014860
// code to add the data object to the top of the scope chain.
14861-
// Like with sourceURL, we take care to not check the option's prototype,
14862-
// as this configuration is a code injection vector.
1486314861
var variable = hasOwnProperty.call(options, 'variable') && options.variable;
1486414862
if (!variable) {
1486514863
source = 'with (obj) {\n' + source + '\n}\n';

test/test.js

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22641,6 +22641,18 @@
2264122641
assert.deepEqual(actual, expected);
2264222642
});
2264322643

22644+
QUnit.test('should not let a sourceURL inject code', function(assert) {
22645+
assert.expect(1);
22646+
22647+
var actual,
22648+
expected = 'no error';
22649+
try {
22650+
actual = _.template(expected, {'sourceURL': '\u2028\u2029\n!this would err if it was executed!'})();
22651+
} catch (e) {}
22652+
22653+
assert.equal(actual, expected);
22654+
});
22655+
2264422656
QUnit.test('should work as an iteratee for methods like `_.map`', function(assert) {
2264522657
assert.expect(1);
2264622658

0 commit comments

Comments
 (0)