fix($parse): forbid __proto__ properties in angular expressions

thejh · IgorMinar · commit 6081f20769e6 · 2014-06-30T09:25:23.000-07:00
__proto__ can be used to mess with global prototypes and it's
deprecated. Therefore, blacklisting it seems like a good idea.

BREAKING CHANGE:
The (deprecated) __proto__ propery does not work inside angular expressions
anymore.
diff --git a/src/ng/parse.js b/src/ng/parse.js
@@ -41,6 +41,9 @@ function ensureSafeMemberName(name, fullExpression) {
     throw $parseMinErr('isecgetset',
         'Defining and looking up getters and setters in Angular expressions is disallowed! '
         +'Expression: {0}', fullExpression);
+  } else if (name === "__proto__") {
+    throw $parseMinErr('isecproto', 'Using __proto__ in Angular expressions is disallowed! '
+        +'Expression: {0}', fullExpression);
   }
   return name;
 }
@@ -696,6 +699,10 @@ Parser.prototype = {
           i = indexFn(self, locals),
           v;
 
+      if (i === "__proto__") {
+        throw $parseMinErr('isecproto', 'Using __proto__ in Angular expressions is disallowed! '
+            +'Expression: {0}', parser.text);
+      }
       if (!o) return undefined;
       v = ensureSafeObject(o[i], parser.text);
       return v;
diff --git a/test/ng/parseSpec.js b/test/ng/parseSpec.js
@@ -913,6 +913,21 @@ describe('parser', function() {
                     '{}.__lookupSetter__.call({}, "a")');
           });
         });
+
+        describe('__proto__', function() {
+          it('should NOT allow access to __proto__', function() {
+            expect(function() {
+              scope.$eval('{}.__proto__.foo = 1');
+            }).toThrowMinErr(
+                    '$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
+                    ' Expression: {}.__proto__.foo = 1');
+            expect(function() {
+              scope.$eval('{}["__pro"+"to__"].foo = 1');
+            }).toThrowMinErr(
+                    '$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
+                    ' Expression: {}["__pro"+"to__"].foo = 1');
+          });
+        });
       });
 
       describe('overriding constructor', function() {
