Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

fix($parse): block assigning to fields of a constructor #12860

Closed
wants to merge 1 commit into from
Closed

fix($parse): block assigning to fields of a constructor #12860

wants to merge 1 commit into from

Conversation

lgalfaso
Copy link
Contributor

Throw when assigning to a field of a constructor.

@lgalfaso
fix($parse): block assigning to fields of a constructor
ed8be3c 
Throw when assigning to a field of a constructor.
petebacondarwin
petebacondarwin reviewed Sep 21, 2015
View reviewed changes
src/ng/parse.js
throw $parseMinErr('isecaf',
'Assigning to a constructor is disallowed! Expression: {0}', fullExpression);
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we only care about built-in constructors?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we care the ones an expression can invoke and can be used to break the sandbox... the only other I can think about is Scope, but I really have no idea if it can be maliciously used. The alternative would be blocking to any property named constructor, but it might be just too much and there might be valid uses.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I guess we can't protect against developers putting stuff on the scope via a controller, such as the window object, for instance?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are other protections in place that prevent any form of access to several objects. Eg. DOM nodes and window

lgalfaso added a commit that referenced this pull request Sep 22, 2015
@lgalfaso @petebacondarwin
fix($parse): block assigning to fields of a constructor
c2bc846 
Throw when assigning to a field of a constructor.

Closes #12860
@lgalfaso lgalfaso closed this in 6571d7a Sep 22, 2015
@petebacondarwin
Copy link
Contributor

I merged this into master and 1.4.x.
It didn't go cleanly into 1.3.x. @lgalfaso is it backportable to 1.3 and 1.2?

@lgalfaso
Copy link
Contributor Author

@petebacondarwin sure, will do so later this week

lgalfaso added a commit that referenced this pull request Sep 22, 2015
@lgalfaso @petebacondarwin
fix($parse): block assigning to fields of a constructor
e1f4f23 
Throw when assigning to a field of a constructor.

Closes #12860
lgalfaso added a commit that referenced this pull request Sep 22, 2015
@lgalfaso @petebacondarwin
fix($parse): block assigning to fields of a constructor
a7f3761 
Throw when assigning to a field of a constructor.

Closes #12860
@petebacondarwin
Copy link
Contributor

Magic!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@petebacondarwin petebacondarwin

Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lgalfaso @petebacondarwin @googlebot