fix($parse): forbid referencing Object in angular expressions

It was possible to run arbitrary JS from inside angular expressions using the `Object.getOwnPropertyDescriptor` method like this since commit 4ab16aa: ''.sub.call.call( ({})["constructor"].getOwnPropertyDescriptor(''.sub.__proto__, "constructor").value, null, "alert(1)" )() Fix that by blocking access to `Object` because `Object` isn't accessible without tricks anyway and it provides some other nasty functions. BREAKING CHANGE: This prevents the use of `Object` inside angular expressions. If you need Object.keys, make it accessible in the scope.
angular · Jun 30, 2014 · 528be29 · 528be29
1 parent 2df7219
commit 528be29
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/src/ng/parse.js b/src/ng/parse.js
@@ -57,6 +57,11 @@ function ensureSafeObject(obj, fullExpression) {
       throw $parseMinErr('isecdom',
           'Referencing DOM nodes in Angular expressions is disallowed! Expression: {0}',
           fullExpression);
+    } else if (// isObject(obj)
+        obj.getOwnPropertyNames || obj.getOwnPropertyDescriptor) {
+      throw $parseMinErr('isecobj',
+          'Referencing Object in Angular expressions is disallowed! Expression: {0}',
+          fullExpression);
     }
   }
   return obj;

diff --git a/test/ng/parseSpec.js b/test/ng/parseSpec.js
@@ -743,6 +743,33 @@ describe('parser', function() {
           });
         });
 
+        describe('Object constructor', function() {
+          it('should NOT allow access to scope constructor', function() {
+            expect(function() {
+              scope.$eval('constructor.keys({})');
+            }).toThrowMinErr(
+                    '$parse', 'isecfld', 'Referencing "constructor" field in Angular expressions '+
+                    'is disallowed! Expression: constructor.keys({})');
+          });
+
+          it('should NOT allow access to Object constructor in getter', function() {
+            expect(function() {
+              scope.$eval('{}["constructor"]');
+            }).toThrowMinErr(
+                    '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
+                    'Expression: {}["constructor"]');
+          });
+
+          it('should NOT allow access to Object constructor that has been aliased', function() {
+            scope.foo = { "bar": Object };
+            expect(function() {
+              scope.$eval('foo["bar"]');
+            }).toThrowMinErr(
+                    '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' +
+                    'Expression: foo["bar"]');
+
+          });
+        });
 
         describe('Window and $element/node', function() {
           it('should NOT allow access to the Window or DOM when indexing', inject(function($window, $document) {