diff options
Diffstat (limited to 'tools/node_modules/eslint/node_modules/lodash/template.js')
-rw-r--r-- | tools/node_modules/eslint/node_modules/lodash/template.js | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/tools/node_modules/eslint/node_modules/lodash/template.js b/tools/node_modules/eslint/node_modules/lodash/template.js index 16539eec2f..f71d130249 100644 --- a/tools/node_modules/eslint/node_modules/lodash/template.js +++ b/tools/node_modules/eslint/node_modules/lodash/template.js @@ -27,6 +27,12 @@ var reNoMatch = /($^)/; /** Used to match unescaped characters in compiled string literals. */ var reUnescapedString = /['\n\r\u2028\u2029\\]/g; +/** Used for built-in method references. */ +var objectProto = Object.prototype; + +/** Used to check objects for own properties. */ +var hasOwnProperty = objectProto.hasOwnProperty; + /** * Creates a compiled template function that can interpolate data properties * in "interpolate" delimiters, HTML-escape interpolated data properties in @@ -162,7 +168,14 @@ function template(string, options, guard) { , 'g'); // Use a sourceURL for easier debugging. - var sourceURL = 'sourceURL' in options ? '//# sourceURL=' + options.sourceURL + '\n' : ''; + // The sourceURL gets injected into the source that's eval-ed, so be careful + // with lookup (in case of e.g. prototype pollution), and strip newlines if any. + // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection. + var sourceURL = hasOwnProperty.call(options, 'sourceURL') + ? ('//# sourceURL=' + + (options.sourceURL + '').replace(/[\r\n]/g, ' ') + + '\n') + : ''; string.replace(reDelimiters, function(match, escapeValue, interpolateValue, esTemplateValue, evaluateValue, offset) { interpolateValue || (interpolateValue = esTemplateValue); @@ -193,7 +206,9 @@ function template(string, options, guard) { // If `variable` is not specified wrap a with-statement around the generated // code to add the data object to the top of the scope chain. - var variable = options.variable; + // Like with sourceURL, we take care to not check the option's prototype, + // as this configuration is a code injection vector. + var variable = hasOwnProperty.call(options, 'variable') && options.variable; if (!variable) { source = 'with (obj) {\n' + source + '\n}\n'; } |