11describe ( 'security issues' , function ( ) {
22 describe ( 'GH-1495: Prevent Remote Code Execution via constructor' , function ( ) {
33 it ( 'should not allow constructors to be accessed' , function ( ) {
4- shouldCompileTo ( '{{constructor.name}}' , { } , '' ) ;
5- shouldCompileTo ( '{{lookup (lookup this "constructor") "name"}}' , { } , '' ) ;
4+ expectTemplate ( '{{lookup (lookup this "constructor") "name"}}' )
5+ . withInput ( { } )
6+ . toCompileTo ( '' ) ;
7+
8+ expectTemplate ( '{{constructor.name}}' )
9+ . withInput ( { } )
10+ . toCompileTo ( '' ) ;
611 } ) ;
712
8- it ( 'should allow the "constructor" property to be accessed if it is enumerable' , function ( ) {
13+ it ( 'GH-1603: should not allow constructors to be accessed (lookup via toString)' , function ( ) {
14+ expectTemplate ( '{{lookup (lookup this (list "constructor")) "name"}}' )
15+ . withInput ( { } )
16+ . withHelper ( 'list' , function ( element ) {
17+ return [ element ] ;
18+ } )
19+ . toCompileTo ( '' ) ;
20+ } ) ;
21+
22+
23+ it ( 'should allow the "constructor" property to be accessed if it is enumerable' , function ( ) {
924 shouldCompileTo ( '{{constructor.name}}' , { 'constructor' : {
1025 'name' : 'here we go'
1126 } } , 'here we go' ) ;
@@ -14,6 +29,13 @@ describe('security issues', function() {
1429 } } , 'here we go' ) ;
1530 } ) ;
1631
32+ it ( 'should allow the "constructor" property to be accessed if it is enumerable' , function ( ) {
33+ shouldCompileTo ( '{{lookup (lookup this "constructor") "name"}}' , { 'constructor' : {
34+ 'name' : 'here we go'
35+ } } , 'here we go' ) ;
36+ } ) ;
37+
38+
1739 it ( 'should allow prototype properties that are not constructors' , function ( ) {
1840 function TestClass ( ) {
1941 }
0 commit comments