diff --git a/src/ng/parse.js b/src/ng/parse.js index 1ae26404e610..06c0376b4dcd 100644 --- a/src/ng/parse.js +++ b/src/ng/parse.js @@ -57,6 +57,11 @@ function ensureSafeObject(obj, fullExpression) { throw $parseMinErr('isecdom', 'Referencing DOM nodes in Angular expressions is disallowed! Expression: {0}', fullExpression); + } else if (// isObject(obj) + obj.getOwnPropertyNames || obj.getOwnPropertyDescriptor) { + throw $parseMinErr('isecobj', + 'Referencing Object in Angular expressions is disallowed! Expression: {0}', + fullExpression); } } return obj; diff --git a/test/ng/parseSpec.js b/test/ng/parseSpec.js index 7f1eeb64663d..4cd50e5752cf 100644 --- a/test/ng/parseSpec.js +++ b/test/ng/parseSpec.js @@ -743,6 +743,33 @@ describe('parser', function() { }); }); + describe('Object constructor', function() { + it('should NOT allow access to scope constructor', function() { + expect(function() { + scope.$eval('constructor.keys({})'); + }).toThrowMinErr( + '$parse', 'isecfld', 'Referencing "constructor" field in Angular expressions '+ + 'is disallowed! Expression: constructor.keys({})'); + }); + + it('should NOT allow access to Object constructor in getter', function() { + expect(function() { + scope.$eval('{}["constructor"]'); + }).toThrowMinErr( + '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' + + 'Expression: {}["constructor"]'); + }); + + it('should NOT allow access to Object constructor that has been aliased', function() { + scope.foo = { "bar": Object }; + expect(function() { + scope.$eval('foo["bar"]'); + }).toThrowMinErr( + '$parse', 'isecobj', 'Referencing Object in Angular expressions is disallowed! ' + + 'Expression: foo["bar"]'); + + }); + }); describe('Window and $element/node', function() { it('should NOT allow access to the Window or DOM when indexing', inject(function($window, $document) {