[SS-4229] - Sidecar - Update handlebar to latest to address security vulnerabilities

mgasper-sugarcrm · mgasper-sugarcrm · commit dbca765fd2f0 · 2024-07-07T02:43:27.000+03:00
diff --git a/lib/handlebars/compiler/compiler.js b/lib/handlebars/compiler/compiler.js
@@ -74,22 +74,15 @@ Compiler.prototype = {
     this.depths = {list: []};
     this.options = options;
 
-    // These changes will propagate to the other compiler components
-    var knownHelpers = this.options.knownHelpers;
-    this.options.knownHelpers = {
+    this.options.knownHelpers = extend(Object.create(null), {
       'helperMissing': true,
       'blockHelperMissing': true,
       'each': true,
       'if': true,
       'unless': true,
       'with': true,
       'log': true
-    };
-    if (knownHelpers) {
-      for (var name in knownHelpers) {
-        this.options.knownHelpers[name] = knownHelpers[name];
-      }
-    }
+    }, this.options.knownHelpers);
 
     return this.accept(program);
   },
diff --git a/lib/handlebars/compiler/javascript-compiler.js b/lib/handlebars/compiler/javascript-compiler.js
@@ -20,6 +20,11 @@ JavaScriptCompiler.prototype = {
       return 'Object.prototype.hasOwnProperty.call(' + parent + ',\'constructor\') ? ' + actual + ' : undefined';
     }
 
+    if (dangerousProperties.indexOf(name)) {
+      const isEnumerable = [ this.aliasable('container.propertyIsEnumerable'), '.call(', parent, ',', JSON.stringify(name), ')']
+      return ['(', isEnumerable, ' ? ', actual, ' : undefined)'];
+    }
+
     // Block the above dangerous properties altogether from being used. If they are used in a template, we assume it
     // could be to exploit the lib since the keywords don't make sense for actual template compilation or rendering
     // unlike 'constructor' which could be someone's occupation :) lol
@@ -100,6 +105,7 @@ JavaScriptCompiler.prototype = {
     this.hashes = [];
     this.compileStack = [];
     this.inlineStack = [];
+    this.aliases = [];
 
     this.compileChildren(environment, options);
 
@@ -857,6 +863,20 @@ JavaScriptCompiler.prototype = {
     };
   },
 
+  aliasable: function(name) {
+    let ret = this.aliases[name];
+    if (ret) {
+      ret.referenceCount++;
+      return ret;
+    }
+
+    ret = this.aliases[name] = this.source.wrap(name);
+    ret.aliasable = true;
+    ret.referenceCount =1;
+
+    return ret;
+  },
+
   setupOptions: function(paramSize, params) {
     var options = [], contexts = [], types = [], param, inverse, program;
 
diff --git a/lib/handlebars/runtime.js b/lib/handlebars/runtime.js
@@ -1,4 +1,3 @@
-module Utils from "./utils";
 import Exception from "./exception";
 import { COMPILER_REVISION, REVISION_CHANGES } from "./base";
 
diff --git a/package.json b/package.json
@@ -24,7 +24,7 @@
     "optimist": "~0.3"
   },
   "optionalDependencies": {
-    "uglify-js": "~2.6"
+    "uglify-js": "^3.14.3"
   },
   "devDependencies": {
     "async": "~0.2.9",

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-module Utils from "./utils";`
`2`	`1`	`import Exception from "./exception";`
`3`	`2`	`import { COMPILER_REVISION, REVISION_CHANGES } from "./base";`
`4`	`3`