fix($parse): forbid referencing Object in angular expressions

It was possible to run arbitrary JS from inside angular expressions using the
`Object.getOwnPropertyDescriptor` method like this since commit 4ab16aa:
    ''.sub.call.call(
      ({})["constructor"].getOwnPropertyDescriptor(''.sub.__proto__, "constructor").value,
      null,
      "alert(1)"
    )()
Fix that by blocking access to `Object` because `Object` isn't accessible
without tricks anyway and it provides some other nasty functions.

BREAKING CHANGE:
This prevents the use of `Object` inside angular expressions.
If you need Object.keys, make it accessible in the scope.

Author: thejh

src/ng/parse.js

@@ -59,6 +59,11 @@ function ensureSafeObject(obj, fullExpression) {
       throw $parseMinErr('isecdom',
           'Referencing DOM nodes in Angular expressions is disallowed! Expression: {0}',
           fullExpression);
+    } else if (// isObject(obj)
+        obj.getOwnPropertyNames || obj.getOwnPropertyDescriptor) {
+      throw $parseMinErr('isecobj',
+          'Referencing Object in Angular expressions is disallowed! Expression: {0}',
+          fullExpression);
     }
   }
   return obj;

test/ng/parseSpec.js

@@ -918,6 +918,33 @@ describe('parser', function() {
           expect(count).toBe(1);
         });
 
+        describe('Object constructor', function() {
+          it('should NOT allow access to scope constructor', function() {
+            expect(function() {
+              scope.$eval('constructor.keys({})');
+            }).toThrowMinErr(
+                    '$parse', 'isecfld', 'Referencing "constructor" field in Angular expressions '+
+                    'is disallowed! Expression: constructor.keys({})');
+          });
+
+          it('should NOT allow access to Object constructor in getter', function() {
+            expect(function() {
+              scope.$eval('{}["constructor"]');
+            }).toThrowMinErr(
+                    '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
+                    'Expression: {}["constructor"]');
+          });
+
+          it('should NOT allow access to Object constructor that has been aliased', function() {
+            scope.foo = { "bar": Object };
+            expect(function() {
+              scope.$eval('foo["bar"]');
+            }).toThrowMinErr(
+                    '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
+                    'Expression: foo["bar"]');
+
+          });
+        });
 
         it('should call the function once when it is part of the context on property lookup function', function() {
           var count = 0;