backport fixes from 4.x

Author: nknapp

lib/handlebars/base.js

@@ -215,7 +215,7 @@ function registerDefaultHelpers(instance) {
     if (!obj) {
       return obj;
     }
-    if (field === 'constructor' && !obj.propertyIsEnumerable(field)) {
+    if (Utils.dangerousPropertyRegex.test(String(field)) && !Object.prototype.hasOwnProperty.call(obj, field)) {
       return undefined;
     }
     return obj[field];

lib/handlebars/compiler/javascript-compiler.js

@@ -1,6 +1,6 @@
 import { COMPILER_REVISION, REVISION_CHANGES } from '../base';
 import Exception from '../exception';
-import {isArray} from '../utils';
+import {isArray, dangerousPropertyRegex} from '../utils';
 import CodeGen from './code-gen';
 
 function Literal(value) {
@@ -13,13 +13,18 @@ JavaScriptCompiler.prototype = {
   // PUBLIC API: You can override these methods in a subclass to provide
   // alternative compiled forms for name lookup and buffering semantics
   nameLookup: function(parent, name /* , type*/) {
-    if (name === 'constructor') {
-      return ['(', parent, '.propertyIsEnumerable(\'constructor\') ? ', parent, '.constructor : undefined', ')'];
+    if (dangerousPropertyRegex.test(name)) {
+      const isOwnProperty = [ this.aliasable('Object.prototype.hasOwnProperty'), '.call(', parent, ',', JSON.stringify(name), ')'];
+      return ['(', isOwnProperty, '?', _actualLookup(), ' : undefined)'];
     }
-    if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
-      return [parent, '.', name];
-    } else {
-      return [parent, "['", name, "']"];
+    return _actualLookup();
+
+    function _actualLookup() {
+      if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
+        return [parent, '.', name];
+      } else {
+        return [parent, '[', JSON.stringify(name), ']'];
+      }
     }
   },
   depthedLookup: function(name) {

lib/handlebars/utils.js

@@ -101,3 +101,5 @@ export function blockParams(params, ids) {
 export function appendContextPath(contextPath, id) {
   return (contextPath ? contextPath + '.' : '') + id;
 }
+
+export const dangerousPropertyRegex = /^(constructor|__defineGetter__|__defineSetter__|__lookupGetter__|__proto__)$/;

spec/security.js

@@ -30,4 +30,20 @@ describe('security issues', function() {
                 new TestClass(), 'xyz');
         });
     });
+
+    describe('GH-1595', function() {
+        it('properties, that are required to be enumerable', function() {
+            shouldCompileTo('{{constructor.name}}', {}, '');
+            shouldCompileTo('{{__defineGetter__.name}}', {}, '');
+            shouldCompileTo('{{__defineSetter__.name}}', {}, '');
+            shouldCompileTo('{{__lookupGetter__.name}}', {}, '');
+            shouldCompileTo('{{__proto__.__defineGetter__.name}}', {}, '');
+
+            shouldCompileTo('{{lookup this "constructor"}}', {}, '');
+            shouldCompileTo('{{lookup this "__defineGetter__"}}', {}, '');
+            shouldCompileTo('{{lookup this "__defineSetter__"}}', {}, '');
+            shouldCompileTo('{{lookup this "__lookupGetter__"}}', {}, '');
+            shouldCompileTo('{{lookup this "__proto__"}}', {}, '');
+        });
+    });
 });