rhoggSugarcrm · mgasper-sugarcrm · Apr 12, 2019 · Apr 17, 2019 · Feb 5, 2021 · Feb 5, 2021
diff --git a/dist/amd/handlebars/compiler/javascript-compiler.js b/dist/amd/handlebars/compiler/javascript-compiler.js
@@ -17,25 +17,45 @@ define(
       // PUBLIC API: You can override these methods in a subclass to provide
       // alternative compiled forms for name lookup and buffering semantics
       nameLookup: function(parent, name /* , type*/) {
-        var wrap,
-            ret;
-        if (parent.indexOf('depth') === 0) {
-          wrap = true;
-        }
+        const actual = _actualLookup();
+        const dangerousProperties = ['__defineGetter__','__defineSetter__','__lookupGetter__','__proto__'];
 
-        if (/^[0-9]+$/.test(name)) {
-          ret = parent + "[" + name + "]";
-        } else if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
-          ret = parent + "." + name;
+        // Do not allow to access constructor of any object/class
+        // See: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
+        if (name === 'constructor') {
+          return 'Object.prototype.hasOwnProperty.call(' + parent + ',\'constructor\') ? ' + actual + ' : undefined';
         }
-        else {
-          ret = parent + "['" + name + "']";
+
+        // Block the above dangerous properties altogether from being used. If they are used in a template, we assume it
+        // could be to exploit the lib since the keywords don't make sense for actual template compilation or rendering
+        // unlike 'constructor' which could be someone's occupation :) lol
+        // See https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988
+        if (dangerousProperties.indexOf(name) !== -1) {
+          throw new Exception('For security reasons, you cannot use ' + name);
         }
 
-        if (wrap) {
-          return '(' + parent + ' && ' + ret + ')';
-        } else {
-          return ret;
+        return actual;
+
+        // Original 1.3.0 code for nameLookup which we default back to if a special keyword is not used
+        function _actualLookup() {
+          var wrap,
+              ret;
+          if (parent.indexOf('depth') === 0) {
+            wrap = true;
+          }
+          if (/^[0-9]+$/.test(name)) {
+            ret = parent + "[" + name + "]";
+          } else if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
+            ret = parent + "." + name;
+          } else {
+            ret = parent + "['" + name + "']";
+          }
+
+          if (wrap) {
+            return '(' + parent + ' && ' + ret + ')';
+          } else {
+            return ret;
+          }
         }
       },
 

diff --git a/dist/cjs/handlebars/compiler/javascript-compiler.js b/dist/cjs/handlebars/compiler/javascript-compiler.js
@@ -14,25 +14,45 @@ JavaScriptCompiler.prototype = {
   // PUBLIC API: You can override these methods in a subclass to provide
   // alternative compiled forms for name lookup and buffering semantics
   nameLookup: function(parent, name /* , type*/) {
-    var wrap,
-        ret;
-    if (parent.indexOf('depth') === 0) {
-      wrap = true;
-    }
+    const actual = _actualLookup();
+    const dangerousProperties = ['__defineGetter__','__defineSetter__','__lookupGetter__','__proto__'];
 
-    if (/^[0-9]+$/.test(name)) {
-      ret = parent + "[" + name + "]";
-    } else if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
-      ret = parent + "." + name;
+    // Do not allow to access constructor of any object/class
+    // See: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
+    if (name === 'constructor') {
+      return 'Object.prototype.hasOwnProperty.call(' + parent + ',\'constructor\') ? ' + actual + ' : undefined';
     }
-    else {
-      ret = parent + "['" + name + "']";
+
+    // Block the above dangerous properties altogether from being used. If they are used in a template, we assume it
+    // could be to exploit the lib since the keywords don't make sense for actual template compilation or rendering
+    // unlike 'constructor' which could be someone's occupation :) lol
+    // See https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988
+    if (dangerousProperties.indexOf(name) !== -1) {
+      throw new Exception('For security reasons, you cannot use ' + name);
     }
 
-    if (wrap) {
-      return '(' + parent + ' && ' + ret + ')';
-    } else {
-      return ret;
+    return actual;
+
+    // Original 1.3.0 code for nameLookup which we default back to if a special keyword is not used
+    function _actualLookup() {
+      var wrap,
+          ret;
+      if (parent.indexOf('depth') === 0) {
+        wrap = true;
+      }
+      if (/^[0-9]+$/.test(name)) {
+        ret = parent + "[" + name + "]";
+      } else if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
+        ret = parent + "." + name;
+      } else {
+        ret = parent + "['" + name + "']";
+      }
+
+      if (wrap) {
+        return '(' + parent + ' && ' + ret + ')';
+      } else {
+        return ret;
+      }
     }
   },
 

diff --git a/dist/handlebars.amd.js b/dist/handlebars.amd.js
@@ -1,6 +1,6 @@
 /*!
 
- handlebars v1.3.0-sugarcrm-temporary
+ handlebars v4.7.8-sugarcrm
 
 Copyright (C) 2011 by Yehuda Katz
 
@@ -1764,25 +1764,45 @@ define(
       // PUBLIC API: You can override these methods in a subclass to provide
       // alternative compiled forms for name lookup and buffering semantics
       nameLookup: function(parent, name /* , type*/) {
-        var wrap,
-            ret;
-        if (parent.indexOf('depth') === 0) {
-          wrap = true;
-        }
+        const actual = _actualLookup();
+        const dangerousProperties = ['__defineGetter__','__defineSetter__','__lookupGetter__','__proto__'];
 
-        if (/^[0-9]+$/.test(name)) {
-          ret = parent + "[" + name + "]";
-        } else if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
-          ret = parent + "." + name;
+        // Do not allow to access constructor of any object/class
+        // See: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
+        if (name === 'constructor') {
+          return 'Object.prototype.hasOwnProperty.call(' + parent + ',\'constructor\') ? ' + actual + ' : undefined';
         }
-        else {
-          ret = parent + "['" + name + "']";
+
+        // Block the above dangerous properties altogether from being used. If they are used in a template, we assume it
+        // could be to exploit the lib since the keywords don't make sense for actual template compilation or rendering
+        // unlike 'constructor' which could be someone's occupation :) lol
+        // See https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988
+        if (dangerousProperties.indexOf(name) !== -1) {
+          throw new Exception('For security reasons, you cannot use ' + name);
         }
 
-        if (wrap) {
-          return '(' + parent + ' && ' + ret + ')';
-        } else {
-          return ret;
+        return actual;
+
+        // Original 1.3.0 code for nameLookup which we default back to if a special keyword is not used
+        function _actualLookup() {
+          var wrap,
+              ret;
+          if (parent.indexOf('depth') === 0) {
+            wrap = true;
+          }
+          if (/^[0-9]+$/.test(name)) {
+            ret = parent + "[" + name + "]";
+          } else if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
+            ret = parent + "." + name;
+          } else {
+            ret = parent + "['" + name + "']";
+          }
+
+          if (wrap) {
+            return '(' + parent + ' && ' + ret + ')';
+          } else {
+            return ret;
+          }
         }
       },
 

diff --git a/dist/handlebars.amd.min.js b/dist/handlebars.amd.min.js
diff --git a/dist/handlebars.js b/dist/handlebars.js
@@ -1,6 +1,6 @@
 /*!
 
- handlebars v1.3.0-sugarcrm-temporary
+ handlebars v4.7.8-sugarcrm
 
 Copyright (C) 2011 by Yehuda Katz
 
@@ -1786,25 +1786,45 @@ var __module11__ = (function(__dependency1__, __dependency2__) {
     // PUBLIC API: You can override these methods in a subclass to provide
     // alternative compiled forms for name lookup and buffering semantics
     nameLookup: function(parent, name /* , type*/) {
-      var wrap,
-          ret;
-      if (parent.indexOf('depth') === 0) {
-        wrap = true;
-      }
+      const actual = _actualLookup();
+      const dangerousProperties = ['__defineGetter__','__defineSetter__','__lookupGetter__','__proto__'];
 
-      if (/^[0-9]+$/.test(name)) {
-        ret = parent + "[" + name + "]";
-      } else if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
-        ret = parent + "." + name;
+      // Do not allow to access constructor of any object/class
+      // See: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
+      if (name === 'constructor') {
+        return 'Object.prototype.hasOwnProperty.call(' + parent + ',\'constructor\') ? ' + actual + ' : undefined';
       }
-      else {
-        ret = parent + "['" + name + "']";
+
+      // Block the above dangerous properties altogether from being used. If they are used in a template, we assume it
+      // could be to exploit the lib since the keywords don't make sense for actual template compilation or rendering
+      // unlike 'constructor' which could be someone's occupation :) lol
+      // See https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988
+      if (dangerousProperties.indexOf(name) !== -1) {
+        throw new Exception('For security reasons, you cannot use ' + name);
       }
 
-      if (wrap) {
-        return '(' + parent + ' && ' + ret + ')';
-      } else {
-        return ret;
+      return actual;
+
+      // Original 1.3.0 code for nameLookup which we default back to if a special keyword is not used
+      function _actualLookup() {
+        var wrap,
+            ret;
+        if (parent.indexOf('depth') === 0) {
+          wrap = true;
+        }
+        if (/^[0-9]+$/.test(name)) {
+          ret = parent + "[" + name + "]";
+        } else if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
+          ret = parent + "." + name;
+        } else {
+          ret = parent + "['" + name + "']";
+        }
+
+        if (wrap) {
+          return '(' + parent + ' && ' + ret + ')';
+        } else {
+          return ret;
+        }
       }
     },
 

diff --git a/dist/handlebars.min.js b/dist/handlebars.min.js
diff --git a/dist/handlebars.runtime.amd.js b/dist/handlebars.runtime.amd.js
@@ -1,6 +1,6 @@
 /*!
 
- handlebars v1.3.0-sugarcrm-temporary
+ handlebars v4.7.8-sugarcrm
 
 Copyright (C) 2011 by Yehuda Katz
 

diff --git a/dist/handlebars.runtime.amd.min.js b/dist/handlebars.runtime.amd.min.js
diff --git a/dist/handlebars.runtime.js b/dist/handlebars.runtime.js
@@ -1,6 +1,6 @@
 /*!
 
- handlebars v1.3.0-sugarcrm-temporary
+ handlebars v4.7.8-sugarcrm
 
 Copyright (C) 2011 by Yehuda Katz
 

diff --git a/dist/handlebars.runtime.min.js b/dist/handlebars.runtime.min.js
diff --git a/lib/handlebars/compiler/compiler.js b/lib/handlebars/compiler/compiler.js
@@ -74,22 +74,15 @@ Compiler.prototype = {
     this.depths = {list: []};
     this.options = options;
 
-    // These changes will propagate to the other compiler components
-    var knownHelpers = this.options.knownHelpers;
-    this.options.knownHelpers = {
+    this.options.knownHelpers = extend(Object.create(null), {
       'helperMissing': true,
       'blockHelperMissing': true,
       'each': true,
       'if': true,
       'unless': true,
       'with': true,
       'log': true
-    };
-    if (knownHelpers) {
-      for (var name in knownHelpers) {
-        this.options.knownHelpers[name] = knownHelpers[name];
-      }
-    }
+    }, this.options.knownHelpers);
 
     return this.accept(program);
   },